CVE-2025-66648

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-66648
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66648.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-66648
Aliases
Downstream
Published
2026-01-05T21:33:14.011Z
Modified
2026-02-06T21:34:22.435886Z
Severity
  • 7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
Summary
`vega-functions` vulnerable to Cross-site Scripting via `setdata` function
Details

vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions 6.1.1. There is no workaround besides upgrading. Using vega.expressionInterpreter as described in CSP safe mode does not prevent this issue.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-79"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/66xxx/CVE-2025-66648.json"
}
References

Affected packages

Git / github.com/vega/vega

Affected ranges

Type
GIT
Repo
https://github.com/vega/vega
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
d67c1b7d5ee707eabd82905088aff1605ca866ba

Affected versions

v1.*
v1.0.0
v1.1.0
v1.2.0
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.3.4
v1.4.0
v1.4.1
v1.4.2
v1.4.3
v1.5.0
v1.5.1
v1.5.4
v3.*
v3.0.0
v3.0.0-beta.1
v3.0.0-beta.10
v3.0.0-beta.11
v3.0.0-beta.12
v3.0.0-beta.13
v3.0.0-beta.14
v3.0.0-beta.15
v3.0.0-beta.16
v3.0.0-beta.17
v3.0.0-beta.18
v3.0.0-beta.19
v3.0.0-beta.2
v3.0.0-beta.20
v3.0.0-beta.21
v3.0.0-beta.22
v3.0.0-beta.23
v3.0.0-beta.24
v3.0.0-beta.25
v3.0.0-beta.26
v3.0.0-beta.27
v3.0.0-beta.28
v3.0.0-beta.29
v3.0.0-beta.3
v3.0.0-beta.30
v3.0.0-beta.31
v3.0.0-beta.32
v3.0.0-beta.33
v3.0.0-beta.34
v3.0.0-beta.35
v3.0.0-beta.36
v3.0.0-beta.37
v3.0.0-beta.38
v3.0.0-beta.39
v3.0.0-beta.4
v3.0.0-beta.6
v3.0.0-beta.7
v3.0.0-beta.8
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
v3.0.0-rc4
v3.0.0-rc5
v3.0.0-rc6
v3.0.0-rc7
v3.0.1
v3.0.10
v3.0.2
v3.0.3
v3.0.4
v3.0.5
v3.0.6
v3.0.7
v3.0.8
v3.0.9
v3.1.0
v3.2.0
v3.2.1
v3.3.0
v3.3.1
v4.*
v4.0.0
v4.0.0-rc.1
v4.0.0-rc.3
v4.1.0
v4.2.0
v4.3.0
v4.4.0
v4.5.1
v5.*
v5.0.0
v5.0.0-rc1
v5.0.0-rc2
v5.0.0-rc3
v5.0.0-rc4
v5.0.0-rc5
v5.1.0
v5.10.0
v5.10.1
v5.11.0
v5.11.1
v5.12.0
v5.12.1
v5.12.2
v5.12.3
v5.13.0
v5.14.0
v5.15.0
v5.16.0
v5.16.1
v5.17.0
v5.17.1
v5.17.2
v5.17.3
v5.18.0
v5.19.0
v5.19.1
v5.2.0
v5.20.0
v5.20.1
v5.20.2
v5.21.0
v5.22.0
v5.22.1
v5.23.0
v5.24.0
v5.25.0
v5.26.0
v5.26.1
v5.27.0
v5.28.0
v5.29.0
v5.3.0
v5.3.1
v5.3.2
v5.3.3
v5.3.4
v5.3.5
v5.30.0
v5.31.0
v5.32.0
v5.33.0
v5.4.0
v5.4.1
v5.5.0
v5.5.1
v5.5.2
v5.5.3
v5.6.0
v5.7.0
v5.7.1
v5.7.2
v5.7.3
v5.8.0
v5.8.1
v5.9.0
v5.9.1
v5.9.2
v6.*
v6.0.0
v6.1.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-66648.json"