CVE-2025-66648
Unknown Unknown - Not Provided

Cross-Site Scripting in vega-functions Internal Function Pre

Vulnerability report for CVE-2025-66648, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-05

Last updated on: 2026-02-05

Assigner: GitHub, Inc.

Description

vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-05
Last Modified
2026-02-05
Generated
2026-07-06
AI Q&A
2026-01-06
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
vega vega-functions 6.1.1
vega-functions_project vega-functions to 6.1.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in vega-functions prior to version 6.1.1, where a malicious user can exploit an internal function (not part of the public API) to execute unintended JavaScript code (cross-site scripting or XSS) on sites that accept untrusted user input. The issue is fixed in version 6.1.1, and there is no workaround other than upgrading. Using vega.expressionInterpreter in CSP safe mode does not prevent this vulnerability.

Impact Analysis

This vulnerability can allow attackers to run arbitrary JavaScript code in the context of the affected site, potentially leading to data theft, session hijacking, or other malicious actions. It can compromise the confidentiality and integrity of user data and the security of the application.

Mitigation Strategies

The only mitigation is to upgrade vega-functions to version 6.1.1 or later. There are no workarounds besides upgrading. Using vega.expressionInterpreter in CSP safe mode does not prevent this issue.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66648. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart