CVE-2025-25304

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-25304

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-25304.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-25304

Aliases

GHSA-mp7w-mhcv-673j

Downstream

UBUNTU-CVE-2025-25304

Published

2025-02-14T20:15:36Z

Modified

2025-07-29T11:21:11.758189Z

Summary

[none]

Details

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site scripting.vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. This can be used to call Function() with arbitrary JavaScript and the resulting function can be called with vlSelectionTuples or using a type coercion to call toString or valueOf. Version 5.26.0 of vega and 5.4.2 of vega-selections fix this issue.

References

Affected packages

Git / github.com/vega/vega

Affected ranges

Type: GIT
Repo: https://github.com/vega/vega
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9fb9ea07e27984394e463d286eb73944fa61411e

Affected versions

v1.*

v1.0.0

v1.1.0

v1.2.0

v1.3.0

v1.3.1

v1.3.2

v1.3.3

v1.3.4

v1.4.0

v1.4.1

v1.4.2

v1.4.3

v1.5.0

v1.5.1

v1.5.4

v3.*

v3.0.0

v3.0.0-beta.1

v3.0.0-beta.10

v3.0.0-beta.11

v3.0.0-beta.12

v3.0.0-beta.13

v3.0.0-beta.14

v3.0.0-beta.15

v3.0.0-beta.16

v3.0.0-beta.17

v3.0.0-beta.18

v3.0.0-beta.19

v3.0.0-beta.2

v3.0.0-beta.20

v3.0.0-beta.21

v3.0.0-beta.22

v3.0.0-beta.23

v3.0.0-beta.24

v3.0.0-beta.25

v3.0.0-beta.26

v3.0.0-beta.27

v3.0.0-beta.28

v3.0.0-beta.29

v3.0.0-beta.3

v3.0.0-beta.30

v3.0.0-beta.31

v3.0.0-beta.32

v3.0.0-beta.33

v3.0.0-beta.34

v3.0.0-beta.35

v3.0.0-beta.36

v3.0.0-beta.37

v3.0.0-beta.38

v3.0.0-beta.39

v3.0.0-beta.4

v3.0.0-beta.6

v3.0.0-beta.7

v3.0.0-beta.8

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.0.0-rc4

v3.0.0-rc5

v3.0.0-rc6

v3.0.0-rc7

v3.0.1

v3.0.10

v3.0.2

v3.0.3

v3.0.4

v3.0.5

v3.0.6

v3.0.7

v3.0.8

v3.0.9

v3.1.0

v3.2.0

v3.2.1

v3.3.0

v3.3.1

v4.*

v4.0.0

v4.0.0-rc.1

v4.0.0-rc.3

v4.1.0

v4.2.0

v4.3.0

v4.4.0

v4.5.1

v5.*

v5.0.0

v5.0.0-rc1

v5.0.0-rc2

v5.0.0-rc3

v5.0.0-rc4

v5.0.0-rc5

v5.1.0

v5.10.0

v5.10.1

v5.11.0

v5.11.1

v5.12.0

v5.12.1

v5.12.2

v5.12.3

v5.13.0

v5.14.0

v5.15.0

v5.16.0

v5.16.1

v5.17.0

v5.17.1

v5.17.2

v5.17.3

v5.18.0

v5.19.0

v5.19.1

v5.2.0

v5.20.0

v5.20.1

v5.20.2

v5.21.0

v5.22.0

v5.22.1

v5.23.0

v5.24.0

v5.25.0

v5.3.0

v5.3.1

v5.3.2

v5.3.3

v5.3.4

v5.3.5

v5.4.0

v5.4.1

v5.5.0

v5.5.1

v5.5.2

v5.5.3

v5.6.0

v5.7.0

v5.7.1

v5.7.2

v5.7.3

v5.8.0

v5.8.1

v5.9.0

v5.9.1

v5.9.2