CVE-2025-66648
Unknown Unknown - Not Provided
Cross-Site Scripting in vega-functions Internal Function Pre

Publication date: 2026-01-05

Last updated on: 2026-02-05

Assigner: GitHub, Inc.

Description
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-01-06
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66648
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
vega vega-functions 6.1.1
vega-functions_project vega-functions to 6.1.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in vega-functions prior to version 6.1.1, where a malicious user can exploit an internal function (not part of the public API) to execute unintended JavaScript code (cross-site scripting or XSS) on sites that accept untrusted user input. The issue is fixed in version 6.1.1, and there is no workaround other than upgrading. Using vega.expressionInterpreter in CSP safe mode does not prevent this vulnerability.

Impact Analysis

This vulnerability can allow attackers to run arbitrary JavaScript code in the context of the affected site, potentially leading to data theft, session hijacking, or other malicious actions. It can compromise the confidentiality and integrity of user data and the security of the application.

Mitigation Strategies

The only mitigation is to upgrade vega-functions to version 6.1.1 or later. There are no workarounds besides upgrading. Using vega.expressionInterpreter in CSP safe mode does not prevent this issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66648. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart