CVE-2025-25304
Description
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site scripting.vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. This can be used to call Function() with arbitrary JavaScript and the resulting function can be called with vlSelectionTuples or using a type coercion to call toString or valueOf. Version 5.26.0 of vega and 5.4.2 of vega-selections fix this issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
veganpm | < 5.26.0 | 5.26.0 |
vega-selectionsnpm | < 5.4.2 | 5.4.2 |
Affected products
3- ghsa-coords2 versions
< 5.26.0+ 1 more
- (no CPE)range: < 5.26.0
- (no CPE)range: < 5.4.2
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-mp7w-mhcv-673jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25304ghsaADVISORY
- github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.jsnvdWEB
- github.com/vega/vega/commit/9fb9ea07e27984394e463d286eb73944fa61411envdWEB
- github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673jnvdWEB
News mentions
0No linked articles in our index yet.