CVE-2025-26619 – vega

Package

Manager: npm
Name: vega
Vulnerable Version: >=0 <5.31.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

EPSS: 0.0004 pctl0.11096

Details

Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter ### Impact In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. ### Patches Patched in `vega` `5.31.0` / `vega-functions` `5.16.0` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ - Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. - Using the interpreter [described in CSP safe mode](https://vega.github.io/vega/usage/interpreter/) (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability. ### References - Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984 Reproduction of the error in Vega by @mattijn ``` { "$schema": "https://vega.github.io/schema/vega/v5.json", "signals": [ { "name": "inject_alert", "on": [ { "events": [ { "type": "mousedown", "marktype": "rect", "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"] } ], "update": "datum" } ] } ], "marks": [ { "type": "rect", "encode": { "update": { "x": {"value": 0}, "y": {"value": 0}, "width": {"value": 100}, "height": {"value": 100} } } } ] } ```

Metadata

Created: 2025-03-27T14:12:34Z
Modified: 2025-04-11T19:02:04Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-rcw3-wmx7-cphr/GHSA-rcw3-wmx7-cphr.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-rcw3-wmx7-cphr
Finding: F008
Auto approve: 1