Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

Severity:: Medium

Description

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Recommendation

Update the vega-functions package to the latest compatible version. Followings are version details:

Affected version(s): < 5.17.0
Patched version(s): 5.17.0

References

GHSA-963h-3v39-3pqf
vega.github.io
CVE-2025-27793
CWE-79
CWE-87
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf) - CVE-2025-27793
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function - CVE-2025-66648
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
@sveltejs/kit vulnerable to Cross-site Scripting via tracked search_params - CVE-2025-32388

Tags:: npm; vega-functions

Anything's wrong? Let us know Last updated on March 27, 2025