Kprevas

**Name of the Vulnerable Software and Affected Versions** vega versions 5.30.0 and lower vega-functions versions 5.15.0 and lower **Description** The issue allows calling JavaScript functions from the Vega expression language that were not meant to be supported. This can be mitigated by running `vega` without `vega.expressionInterpreter`, although this mode is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running. **Recommendations** For vega versions 5.30.0 and lower, update to version 5.31.0 to resolve the issue. For vega-functions versions 5.15.0 and lower, update to version 5.16.0 to resolve the issue. As a temporary workaround, consider running `vega` without `vega.expressionInterpreter` to minimize the risk of exploitation. Restrict access to the `vega.expressionInterpreter` to minimize the risk of exploitation.