Vega Expression Language `scale` expression function Cross Site Scripting (GHSA-4vq7-882g-wcg4)

Severity:: Medium

Description

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Recommendation

Update the vega package to the latest compatible version. Followings are version details:

Affected version(s): < 5.23.0
Patched version(s): 5.23.0

References

GHSA-4vq7-882g-wcg4
github.dev
vega.github.io
CVE-2023-26486
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter (GHSA-rcw3-wmx7-cphr) - CVE-2025-26619
Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304

Tags:: npm; vega

Anything's wrong? Let us know Last updated on March 09, 2023