CVE-2025-59840
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-13

Last updated on: 2025-11-13

Assigner: GitHub, Inc.

Description
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They are vulnerable if they use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window` and if they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). Patches are available in the following Vega applications. If using the latest Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression` `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode). If using Vega in a non-ESM environment, upgrade to `vega-expression` `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds are available. Do not attach `vega` View instances to global variables, and do not attach `vega` to the global window. These practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-13
Last Modified
2025-11-13
Generated
2026-05-06
AI Q&A
2025-11-13
EPSS Evaluated
2026-05-05
NVD
CVE-2025-59840
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
vega vega 6.2.0
vega vega-expression 1.2.1
vega vega-expression 5.2.1
vega vega-interpreter 2.2.1
vega vega-expression 6.1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability affects Vega versions prior to 6.2.0 where applications that attach the vega library and a vega.View instance to the global window object, and allow user-defined Vega JSON definitions, are at risk of arbitrary JavaScript code execution. This can happen even if the 'safe mode' expressionInterpreter is used. The issue arises because attaching these instances globally and accepting untrusted JSON definitions can enable attackers to execute malicious code.


How can this vulnerability impact me? :

If your application uses vulnerable versions of Vega and follows the risky practice of attaching vega and vega.View instances to the global window object while accepting user-defined Vega JSON, attackers could execute arbitrary JavaScript code in your application context. This can lead to compromise of confidentiality and integrity of data, unauthorized actions, and potentially harm users or systems relying on the application.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by checking if your application uses the vega library and attaches a vega.View instance to the global window object, especially if user-defined Vega JSON definitions are allowed. There are no specific commands provided to detect this vulnerability on your network or system.


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include upgrading to vega 6.2.0, vega-expression 6.1.0, and vega-interpreter 2.2.1 if using the latest Vega line (6.x). If using Vega in a non-ESM environment, upgrade to vega-expression 5.2.1 or 1.2.1 if using AST evaluator mode. Additionally, do not attach vega or vega.View instances to global variables or the global window object, especially in production or where untrusted Vega/vega-lite definitions may be provided.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart