Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] (GHSA-963h-3v39-3pqf)

Severity:: Medium

Description

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Recommendation

Update the vega package to the latest compatible version. Followings are version details:

Affected version(s): < 5.32.0
Patched version(s): 5.32.0

References

GHSA-963h-3v39-3pqf
vega.github.io
CVE-2025-27793
CWE-79
CWE-87
CAPEC-310
OWASP 2021-A3
OWASP 2021-A6

Related Issues

Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - CVE-2025-26619
Vega allows Cross-site Scripting via the vlSelectionTuples function - CVE-2025-25304
@hono/node-server has Denial of Service risk when receiving Host header that cannot be parsed - CVE-2024-32652
jose vulnerable to resource exhaustion via specifically crafted JWE with compressed plaintext - CVE-2024-28176

Tags:: npm; vega

Anything's wrong? Let us know Last updated on March 27, 2025