CVE-2025-26619

Name of the Vulnerable Software and Affected Versions vega versions 5.30.0 and lower vega-functions versions 5.15.0 and lower

Description The issue allows calling JavaScript functions from the Vega expression language that were not meant to be supported. This can be mitigated by running vega without vega.expressionInterpreter, although this mode is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running.

Recommendations For vega versions 5.30.0 and lower, update to version 5.31.0 to resolve the issue. For vega-functions versions 5.15.0 and lower, update to version 5.16.0 to resolve the issue. As a temporary workaround, consider running vega without vega.expressionInterpreter to minimize the risk of exploitation. Restrict access to the vega.expressionInterpreter to minimize the risk of exploitation.