Chart of Doom: Hijacking Vega's .map() for DOM XSS
Vulnerability ID: CVE-2025-65110
CVSS Score: 8.1
Published: 2026-01-05
A high-severity DOM-based Cross-Site Scripting (XSS) vulnerability in the Vega visualization library. By exploiting a type confusion flaw in the vega-selections package, attackers can perform method hijacking to execute arbitrary JavaScript code via crafted JSON specifications.
TL;DR
Vega blindly trusts that an input is an Array before calling .map() on it. Attackers can pass a malicious object instead, hijacking the method call to trigger 'gadgets' like CanvasHandler.prototype.on. In environments where debug globals are exposed, this chains directly into eval(), turning your innocent bar chart into a remote shell.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network (DOM-based)
- CVSS v3.1: 8.1 (High)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
- Exploit Status: PoC Available
- Patch Date: 2026-01-05
Affected Systems
- Vega visualization library (v5 and v6)
- Applications rendering user-supplied Vega JSON
- Jupyter Notebook environments using Altair/Vega
- Kibana (if using older Vega plugins)
-
vega-selections: < 5.6.3 (Fixed in:
5.6.3) -
vega-selections: >= 6.0.0, < 6.1.2 (Fixed in:
6.1.2)
Exploit Details
- GitHub Advisory: Official advisory containing the PoC payload
Mitigation Strategies
- Implement strong Content Security Policy (CSP) forbidding 'unsafe-eval'
- Remove global exposure of internal libraries (VEGA_DEBUG)
- Sanitize JSON inputs if accepting specs from untrusted sources
Remediation Steps:
- Identify vulnerable dependency:
npm ls vega-selections - Update vega-selections to version 5.6.3 or 6.1.2
- Verify the patch by inspecting node_modules or running the PoC in a test environment
References
Read the full report for CVE-2025-65110 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)