DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2025-66648: Vega's Visual Betrayal: Leaking the Window via Internal Functions

#security #cve #cybersecurity

Vega's Visual Betrayal: Leaking the Window via Internal Functions

Vulnerability ID: CVE-2025-66648
CVSS Score: 7.2
Published: 2026-01-05

A high-severity Cross-Site Scripting (XSS) vulnerability exists in the Vega expression language (vega-functions). By leveraging the internal modify function and traversing the dataflow object graph, attackers can access the global window object and execute arbitrary JavaScript.

TL;DR

Vega, the popular visualization grammar, failed to sanitize inputs to its internal modify() function. Attackers can craft a malicious JSON specification that traverses internal object references (via event.dataflow) to reach the browser's global scope (window). By passing a function reference like window.alert into modify(), the engine unwittingly executes it. Fixed in vega-functions 6.1.1.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network
  • CVSS Score: 7.2 (High)
  • Exploit Status: PoC Available
  • Impact: Code Execution / XSS
  • Vulnerability Type: Improper Input Neutralization

Affected Systems

  • vega-functions < 6.1.1
  • Vega visualization library
  • Applications embedding Vega (e.g., Kibana, Jupyter)
  • vega-functions: < 6.1.1 (Fixed in: 6.1.1)

Code Analysis

Commit: 47afa04

Fix: Check that modify parameter is not a function

if (isFunction(modify)) { throw Error('modify parameter must be a data tuple, not a function'); }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

Mitigation Strategies

  • Input Validation
  • Dependency Management
  • Content Security Policy (CSP)

Remediation Steps:

  1. Identify vulnerable instances of vega-functions (< 6.1.1) in dependency trees.
  2. Upgrade to vega-functions version 6.1.1 or later.
  3. If direct upgrade is not possible, audit Vega specifications for usage of the modify function or access to event.dataflow.
  4. Implement strict CSP headers to limit the impact of potential XSS execution.

References

Read the full report for CVE-2025-66648 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)