VulnerableCode Package Details - pkg:npm/vega-expression@3.0.1

Staging Environment: Content and features may be unstable or change without notice.

Search for packages

Package details: pkg:npm/vega-expression@3.0.1

Essentials
History (1)

purl	pkg:npm/vega-expression@3.0.1

Next non-vulnerable version	5.2.1
Latest non-vulnerable version	6.1.0
Risk	4.0

Vulnerabilities affecting this package (1)

Vulnerability	Summary	Fixed by
VCID-mkyf-amf3-mbbe Aliases: CVE-2025-59840 GHSA-7f2v-3qq3-vvjf	Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG code. ```js ({ toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName: event.view.console.log, _handlers: { undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)' }, _handlerIndex: event.view.eval })+1 ```	5.2.1 Affected by 0 other vulnerabilities. 6.1.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-mkyf-amf3-mbbe
Aliases:
CVE-2025-59840
GHSA-7f2v-3qq3-vvjf

Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG code. ```js ({ toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName: event.view.console.log, _handlers: { undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)' }, _handlerIndex: event.view.eval })+1 ```

5.2.1
Affected by 0 other vulnerabilities.

6.1.0
Affected by 0 other vulnerabilities.

Vulnerabilities fixed by this package (0)

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:19:49.970680+00:00	GitLab Importer	Affected by	VCID-mkyf-amf3-mbbe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega-expression/CVE-2025-59840.yml	38.6.0