Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

Severity:: Medium

Description

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Recommendation

Update the vega-functions package to the latest compatible version. Followings are version details:

Affected version(s): < 5.17.0
Patched version(s): 5.17.0

References

GHSA-963h-3v39-3pqf
vega.github.io
CVE-2025-27793
CWE-79
CWE-87
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Bootstrap Cross-Site Scripting (XSS) vulnerability for data-* attributes - CVE-2024-6485
react-native-keys insecurely stores encryption cipher and Base64 chunks - CVE-2025-45001
nuxt vulnerable to Cross-site Scripting in navigateTo if used after SSR - CVE-2024-34343
Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619

Tags:: npm; vega-functions

Anything's wrong? Let us know Last updated on March 27, 2025