Cross-Site Scripting Vulnerability in Vega Visualization Library
CVE-2025-25304
6.9MEDIUM
What is CVE-2025-25304?
The Vega visualization library, prior to version 5.26.0, contains a vulnerability in the vlSelectionTuples function that permits cross-site scripting. This flaw allows an attacker to manipulate the function to execute arbitrary JavaScript code via an attacker-controlled argument. Specifically, the vlSelectionTuples function can invoke multiple functions that may be influenced by an attacker, opening a pathway to exploit the affected versions. The issue has been addressed in versions 5.26.0 of Vega and 5.4.2 of Vega Selections, which have implemented necessary security fixes.
Affected Version(s)
vega < 5.26.0