CVE-2025-26619
📋 TL;DR
This vulnerability allows attackers to execute arbitrary JavaScript functions through Vega's expression language, bypassing intended security restrictions. It affects users of Vega visualization library versions 5.30.0 and lower, and Vega-functions 5.15.0 and lower. The vulnerability enables cross-site scripting attacks when untrusted data is processed by vulnerable Vega instances.
💻 Affected Systems
- vega
- vega-functions
📦 What is this software?
Vega by Vega Project
Vega Functions by Vega Functions Project
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of web application security leading to data theft, session hijacking, or malware distribution through arbitrary JavaScript execution in user browsers.
Likely Case
Cross-site scripting (XSS) attacks where attackers inject malicious scripts that execute in victims' browsers, potentially stealing credentials or session cookies.
If Mitigated
Limited impact with proper input validation and output encoding, though the vulnerability still exists at the library level.
🎯 Exploit Status
The vulnerability allows calling unsupported JavaScript functions through Vega expressions, making exploitation straightforward for attackers with access to input channels.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: vega 5.31.0, vega-functions 5.16.0
Vendor Advisory: https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
Restart Required: No
Instructions:
1. Update package.json to use vega >= 5.31.0 and vega-functions >= 5.16.0. 2. Run npm update vega vega-functions. 3. Rebuild and redeploy your application.
🔧 Temporary Workarounds
Disable expression interpreter
allRun Vega without vega.expressionInterpreter to prevent the vulnerability, though this reduces performance.
Configure Vega to run without expression interpreter in your application code
Enable CSP safe mode
allUse Content Security Policy interpreter mode which prevents arbitrary JavaScript execution.
Configure Vega to use CSP safe mode interpreter
🧯 If You Can't Patch
- Implement strict input validation and sanitization for all data processed by Vega
- Deploy web application firewall (WAF) rules to detect and block XSS attempts
🔍 How to Verify
Check if Vulnerable:
Check package.json or node_modules for vega version <= 5.30.0 or vega-functions <= 5.15.0Check Version:
npm list vega vega-functionsVerify Fix Applied:
Confirm vega >= 5.31.0 and vega-functions >= 5.16.0 are installed📡 Detection & Monitoring
Log Indicators:
- Unusual JavaScript function calls in Vega expression logs
- Error messages related to expression evaluation
Network Indicators:
- Suspicious data payloads containing JavaScript functions sent to Vega endpoints
SIEM Query:
source="application_logs" AND ("vega.expression" OR "expressionInterpreter") AND ("eval" OR "Function" OR suspicious_function_names)🔗 References
- https://github.com/vega/vega-lite/issues/9469
- https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c
- https://github.com/vega/vega/issues/3984
- https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
- https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
