CVE-2025-26619: Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode `expressionInterpeter`
First published: Thu Mar 27 2025(Updated: )
### Impact In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. ### Patches Patched in `vega` `5.31.0` / `vega-functions` `5.16.0` ### Workarounds _Is there a way for users to fix or remediate the vulnerability without upgrading?_ - Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. - Using the interpreter [described in CSP safe mode](https://vega.github.io/vega/usage/interpreter/) (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability. ### References - Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984 Reproduction of the error in Vega by @mattijn ``` { "$schema": "https://vega.github.io/schema/vega/v5.json", "signals": [ { "name": "inject_alert", "on": [ { "events": [ { "type": "mousedown", "marktype": "rect", "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"] } ], "update": "datum" } ] } ], "marks": [ { "type": "rect", "encode": { "update": { "x": {"value": 0}, "y": {"value": 0}, "width": {"value": 100}, "height": {"value": 100} } } } ] } ```
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| npm/vega-functions | <5.16.0 | 5.16.0 |
| npm/vega | <5.31.0 | 5.31.0 |
| <5.16.0 | ||
| <5.31.0 | ||
| npm is-function | <5.16.0 | |
| Vega Project Vega | <5.31.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
- https://github.com/vega/vega-lite/issues/9469
- https://github.com/vega/vega/issues/3984
- https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c
- https://nvd.nist.gov/vuln/detail/CVE-2025-26619
- https://github.com/advisories/GHSA-rcw3-wmx7-cphr (Advisory)
Frequently Asked Questions
What is the severity of CVE-2025-26619?
CVE-2025-26619 has a medium severity level due to the potential for unauthorized JavaScript function execution.
How do I fix CVE-2025-26619?
To fix CVE-2025-26619, upgrade to vega version 5.31.0 or vega-functions version 5.16.0.
Which versions are affected by CVE-2025-26619?
CVE-2025-26619 affects vega versions 5.30.0 and lower, and vega-functions versions 5.15.0 and lower.
Is there a workaround for CVE-2025-26619?
There is no official workaround for CVE-2025-26619, and upgrading to the patched versions is recommended.
What impact does CVE-2025-26619 have on applications using vega?
CVE-2025-26619 allows unauthorized execution of JavaScript functions, potentially compromising the security of applications using vega.
- agent/title
- agent/weakness
- agent/source
- agent/author
- agent/type
- agent/description
- agent/first-publish-date
- agent/references
- collector/mitre-cve
- source/MITRE
- collector/github-advisory
- source/GitHub
- alias/GHSA-rcw3-wmx7-cphr
- alias/CVE-2025-26619
- agent/software-canonical-lookup
- collector/nvd-api
- source/NVD
- agent/remedy
- agent/softwarecombine
- agent/tags
- collector/github-advisory-latest
- agent/severity
- agent/last-modified-date
- agent/event
- collector/nvd-cve
- package-manager/npm
- vendor/vega-functions project
- vendor/vega project
- canonical/npm is-function
- canonical/vega project vega