GHSA-mp7w-mhcv-673j

Source

https://github.com/advisories/GHSA-mp7w-mhcv-673j

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-mp7w-mhcv-673j/GHSA-mp7w-mhcv-673j.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mp7w-mhcv-673j

Aliases

CVE-2025-25304

Published

2025-02-14T17:33:58Z

Modified

2025-02-14T22:17:54Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Vega allows Cross-site Scripting via the vlSelectionTuples function

Details

Summary

The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.

Details

vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument.

Example call: vlSelectionTuples([{datum:<argument>}], {fields:[{getter:<function>}]})

This can be used to call Function() with arbitrary JavaScript and the resulting function can be called with vlSelectionTuples or using a type coercion to call toString or valueOf.

PoC

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","init":"+{valueOf:vlSelectionTuples([{datum:'alert(1)'}],{fields:[{getter:[].at.constructor}]})[0].values[0]}"}]}

Database specific

{
    "github_reviewed_at": "2025-02-14T17:33:58Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "nvd_published_at": "2025-02-14T20:15:36Z",
    "severity": "MODERATE",
    "github_reviewed": true
}

References

Affected packages

npm / vega

Package

Name: vega; View open source insights on deps.dev
Purl: pkg:npm/vega

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.26.0

npm / vega-selections

Package

Name: vega-selections; View open source insights on deps.dev
Purl: pkg:npm/vega-selections

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.4.2