Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55)
- Severity:
- Medium
Description
Vega’s lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it’s not enforced.
Recommendation
Update the vega package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.23.0
- Patched version(s): 5.23.0
References
Related Issues
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
- Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304
- Modified package published to npm, containing malware that exfiltrates private key material - CVE-2024-54134
- Tags:
- npm
- vega
Anything's wrong? Let us know Last updated on March 13, 2023