CVE-2023-26486

Name of the Vulnerable Software and Affected Versions Vega versions prior to 5.13.1

Description The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale.

Recommendations For versions prior to 5.13.1, update to version 5.13.1 to resolve the issue. As a temporary workaround, consider restricting the use of the scale expression function to minimize the risk of exploitation. Avoid using the group argument in the scale expression function until the issue is resolved.