CVE-2025-26619
Severity CVSS v4.0:
MEDIUM
Type:
CWE-79
Cross-Site Scripting (XSS)
Publication date:
27/03/2025
Last modified:
11/04/2025
Description
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.
Impact
Base Score 4.0
5.30
Severity 4.0
MEDIUM
Base Score 3.x
6.10
Severity 3.x
MEDIUM
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:vega-functions_project:vega-functions:*:*:*:*:*:node.js:*:* | 5.16.0 (excluding) | |
| cpe:2.3:a:vega_project:vega:*:*:*:*:*:node.js:*:* | 5.31.0 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://github.com/vega/vega-lite/issues/9469
- https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c
- https://github.com/vega/vega/issues/3984
- https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
- https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr