2355332 – (CVE-2025-26619) CVE-2025-26619 vega: Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode `expressionInterpeter`

Bug 2355332 (CVE-2025-26619) - CVE-2025-26619 vega: Vega Cross-Site Scripting (XSS) via event filter when not using CSP mode `expressionInterpeter`

Summary: CVE-2025-26619 vega: Vega Cross-Site Scripting (XSS) via event filter when no...

Keywords:
Status:	NEW
Alias:	CVE-2025-26619
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2355646 2355647
Blocks:
TreeView+	depends on / blocked

Reported:	2025-03-27 14:01 UTC by OSIDB Bzimport
Modified:	2025-03-28 13:40 UTC (History)
CC List:	2 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-03-27 14:01:37 UTC

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0`  and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.

Note You need to log in before you can comment on or make changes to this bug.