CVE-2025-27793

Summary

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the vega-interpreter. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use vega with expression interpreter.

Affected Software

VendorProductVersion RangeStatus
vegavega< 5.32.0affected

Weaknesses

  • CWE-87: CWE-87: Improper Neutralization of Alternate XSS Syntax
  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References