VYPR
Get started
← All advisories
Medium severityNVD Advisory· Published Mar 27, 2025· Updated Apr 15, 2026

CVE-2025-27793

CVE-2025-27793

Description

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the vega-interpreter. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use vega with expression interpreter.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
veganpm
< 5.32.05.32.0
vega-functionsnpm
< 5.17.05.17.0

Patches

2
694560c0aa57

Merge commit from fork

https://github.com/vega/vegaCameron YickFeb 14, 2025via ghsa
commit
1 file changed · +3 1
  • packages/vega-functions/src/functions/sequence.js+3 1 modified
    @@ -1,4 +1,4 @@
-import { ascending, error, isArray, isFunction, isString } from 'vega-util';
+import { ascending, error, isArray, isFunction, isRegExp, isString } from 'vega-util';
 
 function array(seq) {
   return isArray(seq) || ArrayBuffer.isView(seq) ? seq : null;
@@ -26,6 +26,8 @@ export function slice(seq, ...args) {
 
 export function replace(str, pattern, repl) {
   if (isFunction(repl)) error('Function argument passed to replace.');
+  if (!isString(pattern) && !isRegExp(pattern)) error('Please pass a string or RegExp argument to replace.');
+
   return String(str).replace(pattern, repl);
 }
 export function reverse(seq) {
c46889df45c5
https://github.com/vega/vegavia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

6

News mentions

0

No linked articles in our index yet.