Arbitrary JavaScript Code Execution in Vega Visualization Library by Vega
CVE-2025-59840

8.1HIGH

Key Information:

Vendor: Vega
Status: Vega
Vendor: CVE Published:; 13 November 2025

What is CVE-2025-59840?

The Vega visualization grammar is susceptible to arbitrary JavaScript code execution in versions prior to 6.2.0 when certain conditions are met. Specifically, if an application integrates the Vega library and exposes a vega.View instance to the global window while allowing user-defined Vega JSON definitions, a potential attacker could exploit this to execute malicious scripts. This risk persists even under 'safe mode' if not mitigated by adhering to best practices, such as avoiding the attachment of vega instances to global variables and refraining from exposing them to untrusted sources. It is crucial for users to update to the fixed versions of the Vega products and implement recommended workarounds to safeguard their applications.

Affected Version(s)

vega vega < 6.2.0 < vega 6.2.0

vega vega-expression >= 6.0.0, < 6.1.0 < vega-expression 6.0.0, 6.1.0

vega vega-expression < 5.2.1 < vega-expression 5.2.1

References

https://github.com/vega/vega/security/advisories/GHSA-7f2...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Nov 13, 2025
Vulnerability Reserved
Sep 22, 2025

JSON