VulnerableCode Package Details - pkg:npm/vega@5.30.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-mkyf-amf3-mbbe Aliases: CVE-2025-59840 GHSA-7f2v-3qq3-vvjf	Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG code. ```js ({ toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName: event.view.console.log, _handlers: { undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)' }, _handlerIndex: event.view.eval })+1 ```	6.2.0 Affected by 0 other vulnerabilities.
VCID-ny13-p4z1-vygt Aliases: CVE-2025-26619 GHSA-rcw3-wmx7-cphr	Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.	5.31.0 Affected by 2 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-skn9-aqg8-xba8 Aliases: CVE-2025-27793 GHSA-963h-3v39-3pqf	Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.	5.32.0 Affected by 1 other vulnerability. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }}

Vulnerability

Summary

Fixed by

VCID-mkyf-amf3-mbbe
Aliases:
CVE-2025-59840
GHSA-7f2v-3qq3-vvjf

Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG code. ```js ({ toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName: event.view.console.log, _handlers: { undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)' }, _handlerIndex: event.view.eval })+1 ```

6.2.0
Affected by 0 other vulnerabilities.

VCID-ny13-p4z1-vygt
Aliases:
CVE-2025-26619
GHSA-rcw3-wmx7-cphr

Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter In `vega` 5.30.0 and lower, `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.

5.31.0
Affected by 2 other vulnerabilities.

VCID-skn9-aqg8-xba8
Aliases:
CVE-2025-27793
GHSA-963h-3v39-3pqf

Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.

5.32.0
Affected by 1 other vulnerability.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:19:46.707134+00:00	GitLab Importer	Affected by	VCID-mkyf-amf3-mbbe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/CVE-2025-59840.yml	38.6.0
2026-06-06T05:45:00.281011+00:00	GitLab Importer	Affected by	VCID-ny13-p4z1-vygt	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/CVE-2025-26619.yml	38.6.0
2026-06-06T05:44:55.712168+00:00	GitLab Importer	Affected by	VCID-skn9-aqg8-xba8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/CVE-2025-27793.yml	38.6.0