Vega has Cross-site Scripting vulnerability in `lassoAppend` function
- Severity:
- Medium
Description
Vega’s lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it’s not enforced.
Recommendation
Update the vega-functions package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.13.1
- Patched version(s): 5.13.1
References
Related Issues
- CodeceptJS's incomprehensive sanitation can lead to Command Injection - CVE-2025-57285
- Payload does not invalidate JWTs after log out (GHSA-5v66-m237-hwf7) 2 - CVE-2025-4643
- The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008
- Vite allows server.fs.deny to be bypassed with .svg or relative paths - CVE-2025-31486
- Tags:
- npm
- vega-functions
Anything's wrong? Let us know Last updated on March 13, 2023