CVE-2025-14896
Unknown Unknown - Not Provided
Server-Side Request Forgery in Vega `convert()` with safeMode

Publication date: 2025-12-18

Last updated on: 2025-12-18

Assigner: Snyk

Description
due to insufficient sanitazation in Vega’s `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-18
Last Modified
2025-12-18
Generated
2026-06-16
AI Q&A
2025-12-18
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14896
EUVD
EUVD-2025-204295
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vega vega *
yuzutech kroki *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

This vulnerability allows an attacker to craft malicious Vega diagram specifications that can send requests to any URL, including local file system paths, potentially exposing sensitive information. Such unauthorized exposure of sensitive data could lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to protect personal and sensitive information. The fix implemented prevents loading external data URLs in secure mode, thereby mitigating the risk of unauthorized data access and helping maintain compliance with these standards. [1]

Executive Summary

This vulnerability occurs due to insufficient sanitization in Vega's convert() function when safeMode is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that includes external URLs, allowing them to send requests to any URL, including local file system paths. This can lead to exposure of sensitive information by loading untrusted or sensitive external resources. [1]

Impact Analysis

The vulnerability can impact you by allowing an attacker to exploit the Vega convert() function to send requests to arbitrary URLs, including local file system paths. This can result in unauthorized exposure of sensitive information from your system or network, potentially leading to data breaches or information leakage. [1]

Detection Guidance

This vulnerability can be detected by checking if Vega specifications processed by Kroki in secure mode contain any external data URLs in the `data.url` attribute or within nested structures such as `marks[].data[].url`. If such URLs are present, the `convert()` function will throw an `UnsafeIncludeError`. To detect this on your system, you can review Vega specification files or logs for errors mentioning `UnsafeIncludeError`. Additionally, monitoring network traffic for unexpected outgoing requests to external URLs from Vega processing components may help identify exploitation attempts. There are no specific commands provided, but inspecting Vega specs for `data.url` fields or searching logs for `UnsafeIncludeError` messages is recommended. [1]

Mitigation Strategies

To mitigate this vulnerability immediately, ensure that Kroki is running in secure mode (safeMode set to 'secure'), which prevents loading external data URLs in Vega specifications. Avoid using Vega specifications that include external `data.url` attributes; instead, provide data inline via the `values` attribute. If external URLs are necessary, run Kroki in unsafe mode by setting the `KROKI_SAFE_MODE` environment variable accordingly, but be aware this reduces security. Applying the patch from the referenced fix (commit f31093cd8a0a1d6999c43d560f62d1e82d59c77e) is also essential to enforce these checks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14896. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart