CVE-2025-27793
- Source
- https://cve.org/CVERecord?id=CVE-2025-27793
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27793.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2025-27793
- Aliases
- Downstream
- Published
- 2025-03-27T14:07:52.264Z
- Modified
- 2026-04-10T05:25:04.038751Z
- Severity
-
- 5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator
- Summary
- Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
- Details
-
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the
vega-interpreter. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, usevegawith expression interpreter. - Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-79", "CWE-87" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27793.json" }- References
-
- https://github.com/vega/vega/releases/tag/v5.32.0
- https://vega.github.io/vega/usage/interpreter
- https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27793.json
- https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf
- https://nvd.nist.gov/vuln/detail/CVE-2025-27793
- https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966
Affected packages
Git / github.com/vega/vega
Affected ranges
- Type
- GIT
- Repo
- https://github.com/vega/vega
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
- Type
- GIT
- Repo
- https://github.com/vega/vega
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
v1.*
v1.0.0
v1.1.0
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.5.4
v3.*
v3.0.0
v3.0.0-beta.10
v3.0.0-beta.11
v3.0.0-beta.12
v3.0.0-beta.13
v3.0.0-beta.14
v3.0.0-beta.15
v3.0.0-beta.16
v3.0.0-beta.17
v3.0.0-beta.18
v3.0.0-beta.19
v3.0.0-beta.2
v3.0.0-beta.20
v3.0.0-beta.21
v3.0.0-beta.22
v3.0.0-beta.23
v3.0.0-beta.24
v3.0.0-beta.25
v3.0.0-beta.26
v3.0.0-beta.27
v3.0.0-beta.28
v3.0.0-beta.29
v3.0.0-beta.3
v3.0.0-beta.30
v3.0.0-beta.31
v3.0.0-beta.32
v3.0.0-beta.33
v3.0.0-beta.34
v3.0.0-beta.35
v3.0.0-beta.36
v3.0.0-beta.37
v3.0.0-beta.38
v3.0.0-beta.39
v3.0.0-beta.4
v3.0.0-beta.6
v3.0.0-beta.7
v3.0.0-beta.8
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.0.0-rc4
v3.0.0-rc5
v3.0.0-rc6
v3.0.0-rc7
v3.0.1
v3.0.10
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.2.0
v3.2.1
v3.3.0
v3.3.1
v4.*
v4.0.0
v4.0.0-rc.1
v4.0.0-rc.3
v4.1.0
v4.2.0
v4.3.0
v4.4.0
v4.5.1
v5.*
v5.0.0
v5.0.0-rc1
v5.0.0-rc2
v5.0.0-rc3
v5.0.0-rc4
v5.0.0-rc5
v5.1.0
v5.10.0
v5.10.1
v5.11.0
v5.11.1
v5.12.0
v5.12.1
v5.12.2
v5.12.3
v5.13.0
v5.14.0
v5.15.0
v5.16.0
v5.16.1
v5.17.0
v5.17.1
v5.17.2
v5.17.3
v5.18.0
v5.19.0
v5.19.1
v5.2.0
v5.20.0
v5.20.1
v5.20.2
v5.21.0
v5.22.0
v5.22.1
v5.23.0
v5.24.0
v5.25.0
v5.26.0
v5.26.1
v5.27.0
v5.28.0
v5.29.0
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.30.0
v5.31.0
v5.4.0
v5.4.1
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.6.0
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.8.0
v5.8.1
v5.9.0
v5.9.1
v5.9.2