Vega up to 5.6.2/6.1.1 cross site scripting

Summaryinfo

A vulnerability, which was classified as problematic, was found in Vega up to 5.6.2/6.1.1. This vulnerability affects unknown code. Executing a manipulation can lead to cross site scripting. This vulnerability appears as CVE-2025-65110. The attack may be performed from remote. There is no available exploit. You should upgrade the affected component.

Detailsinfo

A vulnerability has been found in Vega up to 5.6.2/6.1.1 and classified as problematic. This vulnerability affects some unknown functionality. The manipulation with an unknown input leads to a cross site scripting vulnerability. The CWE definition for the vulnerability is CWE-79. The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. As an impact it is known to affect integrity. CVE summarizes:

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application’s domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.Patched versions are available in `[email protected]` (requires ESM) for Vega v6 and `[email protected]` (no ESM needed) for Vega v5. As a workaround, do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do. This is a development-only debugging practice that should not be used in any situation where Vega/Vega-lite definitions can come from untrusted parties.

The advisory is shared for download at github.com. This vulnerability was named CVE-2025-65110 since 11/17/2025. The exploitation appears to be easy. The attack can be initiated remotely. No form of authentication is required for a successful exploitation. Successful exploitation requires user interaction by the victim. There are neither technical details nor an exploit publicly available. The MITRE ATT&CK project declares the attack technique as T1059.007.

The vulnerability scanner Nessus provides a plugin with the ID 282586 (Linux Distros Unpatched Vulnerability : CVE-2025-65110), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 5.6.3 or 6.1.2 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (282586) and EUVD (EUVD-2025-206234). Once again VulDB remains the best source for vulnerability data.

Productinfo

Name

• Vega

Version

• 5.6.0
• 5.6.1
• 5.6.2
• 6.1.0
• 6.1.1

Website

• Product: https://github.com/vega/vega/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Once again VulDB remains the best source for vulnerability data.

Discussion