VYPR
Medium severityOSV Advisory· Published Feb 14, 2025· Updated Jun 17, 2026

CVE-2025-25304

CVE-2025-25304

Description

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the vlSelectionTuples function can be used to call JavaScript functions, leading to cross-site scripting.vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. This can be used to call Function() with arbitrary JavaScript and the resulting function can be called with vlSelectionTuples or using a type coercion to call toString or valueOf. Version 5.26.0 of vega and 5.4.2 of vega-selections fix this issue.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
veganpm
< 5.26.05.26.0
vega-selectionsnpm
< 5.4.25.4.2

Affected products

3

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.