Description

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.

INFO

Published Date :

2025-03-27T13:51:38.442Z

Last Modified :

2025-03-27T14:21:44.479Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-26619 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-26619.

URL Resource
https://github.com/vega/vega-lite/issues/9469 cve-icon cve-icon
https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c cve-icon cve-icon
https://github.com/vega/vega/issues/3984 cve-icon cve-icon
https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability