Cross-Site Scripting Vulnerability in Vega Visualization Library
CVE-2025-25304

6.9MEDIUM

Key Information:

Vendor

Vega

Status
Vega
Vendor
CVE Published:
14 February 2025

What is CVE-2025-25304?

The Vega visualization library, prior to version 5.26.0, contains a vulnerability in the vlSelectionTuples function that permits cross-site scripting. This flaw allows an attacker to manipulate the function to execute arbitrary JavaScript code via an attacker-controlled argument. Specifically, the vlSelectionTuples function can invoke multiple functions that may be influenced by an attacker, opening a pathway to exploit the affected versions. The issue has been addressed in versions 5.26.0 of Vega and 5.4.2 of Vega Selections, which have implemented necessary security fixes.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

vega < 5.26.0

References

https://github.com/vega/vega/security/advisories/GHSA-mp7...
x_refsource_CONFIRM
https://github.com/vega/vega/commit/9fb9ea07e27984394e463...
x_refsource_MISC
https://github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.