Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - vega

Description

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Recommendation

Update the vega package to the latest compatible version. Followings are version details:

• Affected version(s): < 5.32.0
• Patched version(s): 5.32.0

References

• GHSA-963h-3v39-3pqf
• vega.github.io
• CVE-2025-27793
• CWE-79
• CWE-87
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] - CVE-2025-27793
• `vega-functions` vulnerable to Cross-site Scripting via `setdata` function - CVE-2025-66648
• Vega allows Cross-site Scripting via the vlSelectionTuples function - vega-selections - CVE-2025-25304
• Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter - vega - CVE-2025-26619

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

vega