GHSA-rcw3-wmx7-cphr

Source

https://github.com/advisories/GHSA-rcw3-wmx7-cphr

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-rcw3-wmx7-cphr/GHSA-rcw3-wmx7-cphr.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rcw3-wmx7-cphr

Aliases

CVE-2025-26619

Related

CVE-2025-26619

Published

2025-03-27T14:12:34Z

Modified

2025-04-11T19:02:04Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N CVSS Calculator

Summary

Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter

Details

Impact

In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.

Patches

Patched in vega 5.31.0 / vega-functions 5.16.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Run vega without vega.expressionInterpreter. This mode is not the default as it is slower.
Using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.

References

Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984

Reproduction of the error in Vega by @mattijn

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "signals": [
    {
      "name": "inject_alert",
      "on": [
        {
          "events": [
            {
              "type": "mousedown",
              "marktype": "rect",
              "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"]
            }
          ],
          "update": "datum"
        }
      ]
    }
  ],
  "marks": [
    {
      "type": "rect",
      "encode": {
        "update": {
          "x": {"value": 0},
          "y": {"value": 0},
          "width": {"value": 100},
          "height": {"value": 100}
        }
      }
    }
  ]
}

Database specific

{
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2025-03-27T14:15:52Z",
    "cwe_ids": [
        "CWE-79"
    ],
    "github_reviewed_at": "2025-03-27T14:12:34Z"
}

References

Affected packages

npm / vega

Package

Name: vega; View open source insights on deps.dev
Purl: pkg:npm/vega

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.31.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-rcw3-wmx7-cphr/GHSA-rcw3-wmx7-cphr.json"

npm / vega-functions

Package

Name: vega-functions; View open source insights on deps.dev
Purl: pkg:npm/vega-functions

Affected ranges

Type: SEMVER
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

5.16.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-rcw3-wmx7-cphr/GHSA-rcw3-wmx7-cphr.json"