CVE-2025-26619

MEDIUM6.1EPSS 0.42%

Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter

Published: 3/27/2025Modified: 4/11/2025
Also known as:GHSA-rcw3-wmx7-cphr

Description

### Impact In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. ### Patches Patched in `vega` `5.31.0` / `vega-functions` `5.16.0` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ - Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. - Using the interpreter [described in CSP safe mode](https://vega.github.io/vega/usage/interpreter/) (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability. ### References - Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984 Reproduction of the error in Vega by @mattijn ``` { "$schema": "https://vega.github.io/schema/vega/v5.json", "signals": [ { "name": "inject_alert", "on": [ { "events": [ { "type": "mousedown", "marktype": "rect", "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"] } ], "update": "datum" } ] } ], "marks": [ { "type": "rect", "encode": { "update": { "x": {"value": 0}, "y": {"value": 0}, "width": {"value": 100}, "height": {"value": 100} } } } ] } ```

Affected packages (3)

CVSS scores

SourceVersionSeverityVector
osvCVSS 4.0CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
osvCVSS 3.1MEDIUM6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (7)