CVE-2025-66648
Cross-Site Scripting in vega-functions Internal Function Pre
Publication date: 2026-01-05
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| vega | vega-functions | 6.1.1 |
| vega-functions_project | vega-functions | to 6.1.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in vega-functions prior to version 6.1.1, where a malicious user can exploit an internal function (not part of the public API) to execute unintended JavaScript code (cross-site scripting or XSS) on sites that accept untrusted user input. The issue is fixed in version 6.1.1, and there is no workaround other than upgrading. Using vega.expressionInterpreter in CSP safe mode does not prevent this vulnerability.
How can this vulnerability impact me? :
This vulnerability can allow attackers to run arbitrary JavaScript code in the context of the affected site, potentially leading to data theft, session hijacking, or other malicious actions. It can compromise the confidentiality and integrity of user data and the security of the application.
What immediate steps should I take to mitigate this vulnerability?
The only mitigation is to upgrade vega-functions to version 6.1.1 or later. There are no workarounds besides upgrading. Using vega.expressionInterpreter in CSP safe mode does not prevent this issue.