CVE-2025-65110

Name of the Vulnerable Software and Affected Versions Vega versions prior to 6.1.2 Vega versions prior to 5.6.3

Description Vega is a visualization grammar used for creating and sharing interactive visualization designs. Applications using Vega prior to versions 6.1.2 and 5.6.3 are susceptible to arbitrary JavaScript code execution, even when utilizing "safe mode" expressionInterpreter. This occurs when the application attaches both the vega library and a vega.View instance to the global window or has other function gadgets in the global scope, and allows user-defined Vega JSON definitions. The issue allows for DOM-based Cross-Site Scripting (XSS), potentially stored or reflected, requiring user interaction to trigger. An attacker can exploit this by tricking a user into opening a malicious Vega specification, leading to the execution of arbitrary JavaScript code within the application's domain. This can result in the theft of sensitive information, data manipulation, or unauthorized actions. The vulnerability compromises the confidentiality and integrity of impacted applications.

Recommendations Versions prior to 6.1.2 should be updated to 6.1.2 or later. Versions prior to 5.6.3 should be updated to 5.6.3 or later. Do not attach vega or vega.View instances to global variables or the window.