CVE-2025-25304: Vega allows Cross-site Scripting via the vlSelectionTuples function
(updated )
The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.
References
- github.com/advisories/GHSA-mp7w-mhcv-673j
- github.com/vega/vega
- github.com/vega/vega/blob/b45cf431cd6c0d0c0e1567f087f9b3b55bc236fa/packages/vega-selections/src/selectionTuples.js
- github.com/vega/vega/commit/9fb9ea07e27984394e463d286eb73944fa61411e
- github.com/vega/vega/security/advisories/GHSA-mp7w-mhcv-673j
- nvd.nist.gov/vuln/detail/CVE-2025-25304
Code Behaviors & Features
Detect and mitigate CVE-2025-25304 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →