PT-2025-13187 · Vega+2 · Vega+2

Kprevas

Published

2025-03-27

Updated

2025-03-28

CVE-2025-26619

CVSS v3.1

6.1

Medium

Vector

AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions vega versions 5.30.0 and lower vega-functions versions 5.15.0 and lower

Description The issue allows calling JavaScript functions from the Vega expression language that were not meant to be supported. This can be mitigated by running vega without vega.expressionInterpreter, although this mode is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running.

Recommendations For vega versions 5.30.0 and lower, update to version 5.31.0 to resolve the issue. For vega-functions versions 5.15.0 and lower, update to version 5.16.0 to resolve the issue. As a temporary workaround, consider running vega without vega.expressionInterpreter to minimize the risk of exploitation. Restrict access to the vega.expressionInterpreter to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2025-26619

GHSA-RCW3-WMX7-CPHR

Affected Products

Debian

Vega

Vega-Functions

PT-2025-13187 · Vega+2 · Vega+2

CVE-2025-26619

Weakness Enumeration

Related Identifiers

Affected Products

References · 15