Arbitrary JavaScript Execution in Vega Visualization Tool
CVE-2025-26619

5.3MEDIUM

Key Information:

Vendor

Vega

Status
Vega
Vendor
CVE Published:
27 March 2025

What is CVE-2025-26619?

The Vega visualization grammar is susceptible to an issue that permits the execution of unauthorized JavaScript functions through the Vega expression language in versions 5.30.0 and below, as well as in 'vega-functions' version 5.15.0 and lower. Although a patch has been released in version 5.31.0 for 'vega' and version 5.16.0 for 'vega-functions', users should exercise caution. As a temporary mitigation, running 'vega' without the 'vega.expressionInterpreter' can be considered, although it is slower and not the default mode. Alternatively, operating in CSP safe mode mitigates the risk of arbitrary JavaScript execution.

Affected Version(s)

vega < 5.31.0

References

https://github.com/vega/vega/security/advisories/GHSA-rcw...
x_refsource_CONFIRM
https://github.com/vega/vega-lite/issues/9469
x_refsource_MISC
https://github.com/vega/vega/issues/3984
x_refsource_MISC

CVSS V4

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.