CVE-2025-59840

Name of the Vulnerable Software and Affected Versions Vega versions prior to 6.2.0 vega-expression versions prior to 6.1.0 vega-interpreter versions prior to 2.2.1 vega-expression versions prior to 5.2.1 vega-interpreter versions prior to 1.2.1

Description Vega is a visualization grammar used for creating and sharing interactive visualization designs. Applications using Vega are at risk of arbitrary JavaScript code execution if they meet two conditions: they use the vega library and a vega.View instance attached to the global window object, and they allow user-defined Vega JSON definitions. This issue can be exploited even when the "safe mode" expressionInterpreter is used. The root cause is the exposure of event member get of window objects, which allows a crafted object to override its toString method and achieve DOM XSS. A proof-of-concept (PoC) demonstrates how to achieve XSS by leveraging a gadget in the global VEGA DEBUG code. The vulnerability requires user interaction with the page to trigger and can lead to the theft of sensitive information or unauthorized actions.

Recommendations Upgrade to vega 6.2.0 Upgrade to vega-expression 6.1.0 Upgrade to vega-interpreter 2.2.1 Upgrade to vega-expression 5.2.1 Upgrade to vega-interpreter 1.2.1 Do not attach vega View instances to global variables. Do not attach vega to the global window.