Search for packages
| purl | pkg:npm/vega-functions@5.7.3 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1tv4-wffc-f3cu
Aliases: CVE-2023-26486 GHSA-4vq7-882g-wcg4 GMS-2023-580 GMS-2023-583 |
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. This issue has been fixed in version 5.13.1. |
Affected by 3 other vulnerabilities. |
|
VCID-6233-y2x7-rbcm
Aliases: CVE-2025-26619 GHSA-rcw3-wmx7-cphr |
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability. |
Affected by 2 other vulnerabilities. |
|
VCID-jzdz-tvhs-1bf6
Aliases: CVE-2025-66648 GHSA-m9rg-mr6g-75gm |
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue. |
Affected by 0 other vulnerabilities. |
|
VCID-k7tv-4e6w-mkd7
Aliases: CVE-2025-27793 GHSA-963h-3v39-3pqf |
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter. |
Affected by 1 other vulnerability. |
|
VCID-ten6-jvg2-hbes
Aliases: CVE-2023-26487 GHSA-w5m3-xh75-mp55 GMS-2023-582 GMS-2023-584 |
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The issue is that`lassoAppend` doesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality). This issue was patched in 5.23.0. |
Affected by 3 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||