VulnerableCode Package Details - pkg:npm/vega@5.32.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-mkyf-amf3-mbbe Aliases: CVE-2025-59840 GHSA-7f2v-3qq3-vvjf	Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG code. ```js ({ toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName: event.view.console.log, _handlers: { undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)' }, _handlerIndex: event.view.eval })+1 ```	6.2.0 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-mkyf-amf3-mbbe
Aliases:
CVE-2025-59840
GHSA-7f2v-3qq3-vvjf

Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling `this.foo(this.bar)`, DOM XSS can be achieved. In practice, an accessible gadget like this exists in the global VEGA_DEBUG code. ```js ({ toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName: event.view.console.log, _handlers: { undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)' }, _handlerIndex: event.view.eval })+1 ```

6.2.0
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-skn9-aqg8-xba8	Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.	CVE-2025-27793 GHSA-963h-3v39-3pqf

Vulnerability

Summary

Aliases

VCID-skn9-aqg8-xba8

Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace] Calling `replace` with a `RegExp`-like pattern calls `RegExp.prototype[@@replace]`, which can then call an attacker-controlled `exec` function.

CVE-2025-27793
GHSA-963h-3v39-3pqf

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-06T06:19:46.716265+00:00	GitLab Importer	Affected by	VCID-mkyf-amf3-mbbe	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/CVE-2025-59840.yml	38.6.0
2026-06-04T17:12:09.104695+00:00	GithubOSV Importer	Fixing	VCID-skn9-aqg8-xba8	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-963h-3v39-3pqf/GHSA-963h-3v39-3pqf.json	38.6.0
2026-06-04T16:23:40.486868+00:00	GitLab Importer	Fixing	VCID-skn9-aqg8-xba8	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/vega/CVE-2025-27793.yml	38.6.0