ghsa-mp7w-mhcv-673j
Vulnerability from github
Published
2025-02-14 17:33
Modified
2025-02-14 22:17
Severity ?
6.9 (Medium) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N
Summary
Vega allows Cross-site Scripting via the vlSelectionTuples function
Details

Summary

The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.

Details

vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument.

Example call: vlSelectionTuples([{datum:<argument>}], {fields:[{getter:<function>}]})

This can be used to call Function() with arbitrary JavaScript and the resulting function can be called with vlSelectionTuples or using a type coercion to call toString or valueOf.

PoC

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","init":"+{valueOf:vlSelectionTuples([{datum:'alert(1)'}],{fields:[{getter:[].at.constructor}]})[0].values[0]}"}]}

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "vega"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.26.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "vega-selections"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "5.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-25304"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-14T17:33:58Z",
    "nvd_published_at": "2025-02-14T20:15:36Z",
    "severity": "MODERATE"
  },
  "details": "### Summary\nThe `vlSelectionTuples` function can be used to call JavaScript functions, leading to XSS.\n\n### Details\n[`vlSelectionTuples`](https://github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.js#L14) calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument.\n\nExample call: `vlSelectionTuples([{datum:\u003cargument\u003e}], {fields:[{getter:\u003cfunction\u003e}]})`\n\nThis can be used to call `Function()` with arbitrary JavaScript and the resulting function can be called with `vlSelectionTuples` or using a type coercion to call `toString` or `valueOf`.\n\n### PoC\n```\n{\"$schema\":\"https://vega.github.io/schema/vega/v5.json\",\"signals\":[{\"name\":\"a\",\"init\":\"+{valueOf:vlSelectionTuples([{datum:\u0027alert(1)\u0027}],{fields:[{getter:[].at.constructor}]})[0].values[0]}\"}]}\n```",
  "id": "GHSA-mp7w-mhcv-673j",
  "modified": "2025-02-14T22:17:54Z",
  "published": "2025-02-14T17:33:58Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673j"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25304"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/commit/9fb9ea07e27984394e463d286eb73944fa61411e"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/vega/vega"
    },
    {
      "type": "WEB",
      "url": "https://github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.js#L14"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Vega allows Cross-site Scripting via the vlSelectionTuples function"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.