Django REST framework

Lookup for vulnerabilities affecting packages.

Vulnerability_id VCID-cxkk-nbnz-myaa

Summary

Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope
Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that sets a `map` value with a function copied from the window that results in calling `this.foo(this.bar)` can be passed to the vlSelectionTuples function, calling the copied `map` function, allowing DOM XSS to be achieved.

In practice, an accessible gadget like this exists in the global VEGA_DEBUG code.

```js
vlSelectionTuples({
map: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on,
eventName: event.view.console.log,
_handlers:{
undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'
},
_handlerIndex: event.view.eval
})
```

Aliases

alias	CVE-2025-65110

alias	GHSA-829q-m3qg-ph8r

Fixed_packages

url	pkg:deb/debian/vega.js@5.33.1%2Bds%2B~cs5.3.0-4
purl	pkg:deb/debian/vega.js@5.33.1%2Bds%2B~cs5.3.0-4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/vega.js@5.33.1%252Bds%252B~cs5.3.0-4

url	pkg:deb/debian/vega.js@5.33.1%2Bds%2B~cs5.3.0-4?distro=trixie
purl	pkg:deb/debian/vega.js@5.33.1%2Bds%2B~cs5.3.0-4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/vega.js@5.33.1%252Bds%252B~cs5.3.0-4%3Fdistro=trixie

url	pkg:npm/vega-selections@5.6.3
purl	pkg:npm/vega-selections@5.6.3
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.6.3

url	pkg:npm/vega-selections@6.1.2
purl	pkg:npm/vega-selections@6.1.2
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@6.1.2

Affected_packages

url pkg:deb/debian/vega.js@5.22.1%2Bds%2B~3.1.0-4

purl pkg:deb/debian/vega.js@5.22.1%2Bds%2B~3.1.0-4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6gd1-bqau-17gd

vulnerability	VCID-7c32-k9j8-v7dy

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

vulnerability	VCID-mfd1-x3jm-qqbk

vulnerability	VCID-mkyf-amf3-mbbe

vulnerability	VCID-ny13-p4z1-vygt

vulnerability	VCID-skn9-aqg8-xba8

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/vega.js@5.22.1%252Bds%252B~3.1.0-4

url pkg:deb/debian/vega.js@5.22.1%2Bds%2B~3.1.0-4?distro=trixie

purl pkg:deb/debian/vega.js@5.22.1%2Bds%2B~3.1.0-4?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-6gd1-bqau-17gd

vulnerability	VCID-7c32-k9j8-v7dy

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

vulnerability	VCID-mfd1-x3jm-qqbk

vulnerability	VCID-mkyf-amf3-mbbe

vulnerability	VCID-ny13-p4z1-vygt

vulnerability	VCID-skn9-aqg8-xba8

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/vega.js@5.22.1%252Bds%252B~3.1.0-4%3Fdistro=trixie

url pkg:deb/debian/vega.js@5.28.0%2Bds%2B~cs5.3.0-1

purl pkg:deb/debian/vega.js@5.28.0%2Bds%2B~cs5.3.0-1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-mfd1-x3jm-qqbk

vulnerability	VCID-mkyf-amf3-mbbe

vulnerability	VCID-ny13-p4z1-vygt

vulnerability	VCID-skn9-aqg8-xba8

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/vega.js@5.28.0%252Bds%252B~cs5.3.0-1

url pkg:deb/debian/vega.js@5.28.0%2Bds%2B~cs5.3.0-1?distro=trixie

purl pkg:deb/debian/vega.js@5.28.0%2Bds%2B~cs5.3.0-1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-mfd1-x3jm-qqbk

vulnerability	VCID-mkyf-amf3-mbbe

vulnerability	VCID-ny13-p4z1-vygt

vulnerability	VCID-skn9-aqg8-xba8

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/vega.js@5.28.0%252Bds%252B~cs5.3.0-1%3Fdistro=trixie

url pkg:npm/vega-selections@5.0.0

purl pkg:npm/vega-selections@5.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.0.0

url pkg:npm/vega-selections@5.0.1

purl pkg:npm/vega-selections@5.0.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.0.1

url pkg:npm/vega-selections@5.1.0

purl pkg:npm/vega-selections@5.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.1.0

url pkg:npm/vega-selections@5.1.1

purl pkg:npm/vega-selections@5.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.1.1

url pkg:npm/vega-selections@5.1.2

purl pkg:npm/vega-selections@5.1.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.1.2

url pkg:npm/vega-selections@5.1.3

purl pkg:npm/vega-selections@5.1.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.1.3

url pkg:npm/vega-selections@5.1.4

purl pkg:npm/vega-selections@5.1.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.1.4

url pkg:npm/vega-selections@5.1.5

purl pkg:npm/vega-selections@5.1.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.1.5

url pkg:npm/vega-selections@5.2.0

purl pkg:npm/vega-selections@5.2.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.2.0

url pkg:npm/vega-selections@5.3.0

purl pkg:npm/vega-selections@5.3.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.3.0

url pkg:npm/vega-selections@5.3.1

purl pkg:npm/vega-selections@5.3.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.3.1

url pkg:npm/vega-selections@5.4.0

purl pkg:npm/vega-selections@5.4.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.4.0

url pkg:npm/vega-selections@5.4.1

purl pkg:npm/vega-selections@5.4.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

vulnerability	VCID-fkxw-kvr8-tyeg

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.4.1

url pkg:npm/vega-selections@5.4.2

purl pkg:npm/vega-selections@5.4.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.4.2

url pkg:npm/vega-selections@5.5.0

purl pkg:npm/vega-selections@5.5.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.5.0

url pkg:npm/vega-selections@5.6.0

purl pkg:npm/vega-selections@5.6.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.6.0

url pkg:npm/vega-selections@5.6.1

purl pkg:npm/vega-selections@5.6.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.6.1

url pkg:npm/vega-selections@5.6.2

purl pkg:npm/vega-selections@5.6.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@5.6.2

url pkg:npm/vega-selections@6.0.0

purl pkg:npm/vega-selections@6.0.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@6.0.0

url pkg:npm/vega-selections@6.1.0

purl pkg:npm/vega-selections@6.1.0

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@6.1.0

url pkg:npm/vega-selections@6.1.1

purl pkg:npm/vega-selections@6.1.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-cxkk-nbnz-myaa

resource_url http://public2.vulnerablecode.io/packages/pkg:npm/vega-selections@6.1.1

References

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-65110.json

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-65110.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-65110

reference_id

reference_type

scores

value	0.00025
scoring_system	epss
scoring_elements	0.07287
published_at	2026-06-09T12:55:00Z

value	0.00025
scoring_system	epss
scoring_elements	0.07333
published_at	2026-06-05T12:55:00Z

value	0.00025
scoring_system	epss
scoring_elements	0.07339
published_at	2026-06-06T12:55:00Z

value	0.00025
scoring_system	epss
scoring_elements	0.07319
published_at	2026-06-07T12:55:00Z

value	0.00025
scoring_system	epss
scoring_elements	0.07275
published_at	2026-06-08T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-65110

reference_url

https://github.com/vega/vega

reference_id

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/vega/vega

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125184
reference_id	1125184
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125184

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2427235
reference_id	2427235
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2427235

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-65110

reference_id

CVE-2025-65110

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-65110

reference_url

https://github.com/advisories/GHSA-829q-m3qg-ph8r

reference_id

GHSA-829q-m3qg-ph8r

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-829q-m3qg-ph8r

reference_url

https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r

reference_id

GHSA-829q-m3qg-ph8r

reference_type

scores

value	8.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track*
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-01-05T21:39:12Z/

url

https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r

Weaknesses

cwe_id	79
name	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
description	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

cwe_id	937
name	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.

cwe_id	1035
name	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description	Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.

Exploits

Severity_range_score 7.0 - 8.9

Exploitability 0.5

Weighted_severity 8.0

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-cxkk-nbnz-myaa

Vulnerability Instance