Search for packages
| purl | pkg:npm/vega@2.2.5 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-1tv4-wffc-f3cu
Aliases: CVE-2023-26486 GHSA-4vq7-882g-wcg4 GMS-2023-580 GMS-2023-583 |
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. This issue has been fixed in version 5.13.1. |
Affected by 4 other vulnerabilities. |
|
VCID-6233-y2x7-rbcm
Aliases: CVE-2025-26619 GHSA-rcw3-wmx7-cphr |
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability. |
Affected by 2 other vulnerabilities. |
|
VCID-7fys-twsr-m7g1
Aliases: GHSA-cp47-r258-q626 GMS-2023-581 |
Vega vulnerable to arbitrary code execution when clicking href links Vega is vulnerable to arbitrary code execution when clicking href links. Versions 5.4.1 and 4.5.1 contain a patch. |
Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 7 other vulnerabilities. |
|
VCID-7qh6-dzqw-rkgm
Aliases: CVE-2025-59840 GHSA-7f2v-3qq3-vvjf |
Affected by 0 other vulnerabilities. |
|
|
VCID-k7tv-4e6w-mkd7
Aliases: CVE-2025-27793 GHSA-963h-3v39-3pqf |
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter. |
Affected by 1 other vulnerability. |
|
VCID-ke6z-mtfd-wqdr
Aliases: CVE-2025-25304 GHSA-mp7w-mhcv-673j |
Affected by 3 other vulnerabilities. |
|
|
VCID-pz4g-pvp7-43h8
Aliases: CVE-2020-26296 GHSA-r2qc-w64x-6j54 |
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Vega in an npm package. In Vega before version 5.17.3 there is an XSS vulnerability in Vega expressions. Through a specially crafted Vega expression, an attacker could execute arbitrary javascript on a victim's machine. This is fixed in version 5.17.3 |
Affected by 6 other vulnerabilities. |
|
VCID-ten6-jvg2-hbes
Aliases: CVE-2023-26487 GHSA-w5m3-xh75-mp55 GMS-2023-582 GMS-2023-584 |
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The issue is that`lassoAppend` doesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality). This issue was patched in 5.23.0. |
Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||