Bug 2345818 (CVE-2025-25304) - CVE-2025-25304 vega: Vega allows Cross-site Scripting via the vlSelectionTuples function
Summary: CVE-2025-25304 vega: Vega allows Cross-site Scripting via the vlSelectionTupl...
Keywords:
Status: NEW
Alias: CVE-2025-25304
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2345860 2345861
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-02-14 20:01 UTC by OSIDB Bzimport
Modified: 2025-02-17 14:06 UTC (History)
2 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2025-02-14 20:01:05 UTC
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the `vlSelectionTuples` function can be used to call JavaScript functions, leading to cross-site scripting.`vlSelectionTuples` calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. This can be used to call `Function()` with arbitrary JavaScript and the resulting function can be called with `vlSelectionTuples` or using a type coercion to call `toString` or `valueOf`. Version 5.26.0 of vega and 5.4.2 of vega-selections fix this issue.


Note You need to log in before you can comment on or make changes to this bug.