CVE-2025-66648
HIGHvega-functions < 6.1.1 - Cross-Site Scripting via Internal Function
Title source: llmDescription
vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.
References (1)
Core 1
Core References
Exploit, Vendor Advisory x_refsource_confirm
https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm
Scores
CVSS v3
7.2
EPSS
0.0007
EPSS Percentile
21.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (2)
npm/vega-functions
0 - 6.1.1npm
vega-functions_project/vega-functions
< 6.1.1
Published
Jan 05, 2026
Tracked Since
Feb 18, 2026