CVE-2025-27793: Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]
Calling replace with a RegExp-like pattern calls RegExp.prototype[@@replace], which can then call an attacker-controlled exec function.
References
- github.com/advisories/GHSA-963h-3v39-3pqf
- github.com/vega/vega
- github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966
- github.com/vega/vega/releases/tag/v5.32.0
- github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf
- nvd.nist.gov/vuln/detail/CVE-2025-27793
- vega.github.io/vega/usage/interpreter
Code Behaviors & Features
Detect and mitigate CVE-2025-27793 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →