Vega has Cross-site Scripting vulnerability in `lassoAppend` function (GHSA-w5m3-xh75-mp55)
- Severity:
- Medium
Description
Vega’s lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it’s not enforced.
Recommendation
Update the vega package to the latest compatible version. Followings are version details:
- Affected version(s): < 5.23.0
- Patched version(s): 5.23.0
References
Related Issues
- @dependencytrack/frontend vulnerable to Persistent Cross-Site-Scripting via welcome message - CVE-2025-64758
- Parse Server Vulnerable to Server-Side Request Forgery (SSRF) in File Upload via URI Format - CVE-2025-64430
- `sveltekit-superforms` has Prototype Pollution in `parseFormData` function of `formData.js` - CVE-2025-62381
- matrix-js-sdk has insufficient validation when considering a room to be upgraded by another - CVE-2025-59160
- Tags:
- npm
- vega
Anything's wrong? Let us know Last updated on March 13, 2023