Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function ga

Description

Applications meeting these two conditions are at risk of arbitrary JavaScript code execution, even if “safe mode” expressionInterpreter is used.

1. Use vega in an application that attaches both vega library and a vega.View instance similar to the Vega Editor to the global window, or has any other satisfactory function gadgets in the global scope 2.

Recommendation

Update the vega-selections package to the latest compatible version. Followings are version details:

• Affected version(s): **>= 6.0.0, < 6.1.2

  < 5.6.3**

• Patched version(s): **6.1.2

  5.6.3**

References

• GHSA-829q-m3qg-ph8r
• CVE-2025-65110
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia - CVE-2025-59840
• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) - CVE-2025-59840
• Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global varia (GHSA-7f2v-3qq3-vvjf) 2 - CVE-2025-59840
• Vega allows Cross-site Scripting via the vlSelectionTuples function (GHSA-mp7w-mhcv-673j) - CVE-2025-25304

Tags:

npm

vega-selections