Vega Expression Language `scale` expression function Cross Site Scripting (GHSA-4vq7-882g-wcg4)

Severity:: Medium

Description

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Recommendation

Update the vega package to the latest compatible version. Followings are version details:

Affected version(s): < 5.23.0
Patched version(s): 5.23.0

References

GHSA-4vq7-882g-wcg4
github.dev
vega.github.io
CVE-2023-26486
CWE-79
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Vega Expression Language `scale` expression function Cross Site Scripting - CVE-2023-26486
Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55) - CVE-2023-26487
Vega has Cross-site Scripting vulnerability in `lassoAppend` function - CVE-2023-26487
Vega allows Cross-site Scripting via the vlSelectionTuples function (GHSA-mp7w-mhcv-673j) - CVE-2025-25304

Tags:: npm; vega

Anything's wrong? Let us know Last updated on March 09, 2023