Vega Expression Language `scale` expression function Cross Site Scripting (GHSA-4vq7-882g-wcg4)
- Severity:
- Medium
Description
The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.
Recommendation
Update the vega package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.23.0
- Patched version(s): 5.23.0
References
Related Issues
- Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619
- Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304
- Websites were able to send any requests to the development server and read the response in vite - CVE-2025-24010
- Parsed HTML anchor links in Markdown provided to parseMarkdown can result in XSS in @nuxtjs/mdc - CVE-2025-24981
- Tags:
- npm
- vega
Anything's wrong? Let us know Last updated on March 09, 2023