Vega Expression Language `scale` expression function Cross Site Scripting

Severity:: Medium

Description

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Recommendation

Update the vega-functions package to the latest compatible version. Followings are version details:

Affected version(s): < 5.13.1
Patched version(s): 5.13.1

References

GHSA-4vq7-882g-wcg4
github.dev
vega.github.io
CVE-2023-26486
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Volto affected by possible DoS by invoking specific URL by anonymous user - CVE-2025-58047
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
Potential DoS when using ContextLines integration (GHSA-r5w7-f542-q2j4) 10 - Vulnerability

Tags:: npm; vega-functions

Anything's wrong? Let us know Last updated on March 09, 2023