{"id":"CVE-2025-27793","summary":"Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]","details":"Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter.","aliases":["GHSA-963h-3v39-3pqf"],"modified":"2026-04-10T05:25:04.038751Z","published":"2025-03-27T14:07:52.264Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27793.json","cwe_ids":["CWE-79","CWE-87"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/vega/vega/releases/tag/v5.32.0"},{"type":"WEB","url":"https://vega.github.io/vega/usage/interpreter"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/27xxx/CVE-2025-27793.json"},{"type":"ADVISORY","url":"https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27793"},{"type":"FIX","url":"https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/vega/vega","events":[{"introduced":"0"},{"fixed":"694560c0aa576df8b6c5f0f7d202ac82233e6966"}]},{"type":"GIT","repo":"https://github.com/vega/vega","events":[{"introduced":"0"},{"fixed":"c46889df45c5ea4286e7cef1ac3041c4a3d82c78"}]}],"versions":["v1.0.0","v1.1.0","v1.2.0","v1.3.0","v1.3.1","v1.3.2","v1.3.3","v1.3.4","v1.4.0","v1.4.1","v1.4.2","v1.4.3","v1.5.0","v1.5.1","v1.5.4","v3.0.0","v3.0.0-beta.10","v3.0.0-beta.11","v3.0.0-beta.12","v3.0.0-beta.13","v3.0.0-beta.14","v3.0.0-beta.15","v3.0.0-beta.16","v3.0.0-beta.17","v3.0.0-beta.18","v3.0.0-beta.19","v3.0.0-beta.2","v3.0.0-beta.20","v3.0.0-beta.21","v3.0.0-beta.22","v3.0.0-beta.23","v3.0.0-beta.24","v3.0.0-beta.25","v3.0.0-beta.26","v3.0.0-beta.27","v3.0.0-beta.28","v3.0.0-beta.29","v3.0.0-beta.3","v3.0.0-beta.30","v3.0.0-beta.31","v3.0.0-beta.32","v3.0.0-beta.33","v3.0.0-beta.34","v3.0.0-beta.35","v3.0.0-beta.36","v3.0.0-beta.37","v3.0.0-beta.38","v3.0.0-beta.39","v3.0.0-beta.4","v3.0.0-beta.6","v3.0.0-beta.7","v3.0.0-beta.8","v3.0.0-rc1","v3.0.0-rc2","v3.0.0-rc3","v3.0.0-rc4","v3.0.0-rc5","v3.0.0-rc6","v3.0.0-rc7","v3.0.1","v3.0.10","v3.0.2","v3.0.3","v3.0.4","v3.0.5","v3.0.6","v3.0.7","v3.0.8","v3.0.9","v3.1.0","v3.2.0","v3.2.1","v3.3.0","v3.3.1","v4.0.0","v4.0.0-rc.1","v4.0.0-rc.3","v4.1.0","v4.2.0","v4.3.0","v4.4.0","v4.5.1","v5.0.0","v5.0.0-rc1","v5.0.0-rc2","v5.0.0-rc3","v5.0.0-rc4","v5.0.0-rc5","v5.1.0","v5.10.0","v5.10.1","v5.11.0","v5.11.1","v5.12.0","v5.12.1","v5.12.2","v5.12.3","v5.13.0","v5.14.0","v5.15.0","v5.16.0","v5.16.1","v5.17.0","v5.17.1","v5.17.2","v5.17.3","v5.18.0","v5.19.0","v5.19.1","v5.2.0","v5.20.0","v5.20.1","v5.20.2","v5.21.0","v5.22.0","v5.22.1","v5.23.0","v5.24.0","v5.25.0","v5.26.0","v5.26.1","v5.27.0","v5.28.0","v5.29.0","v5.3.0","v5.3.1","v5.3.2","v5.3.3","v5.3.4","v5.3.5","v5.30.0","v5.31.0","v5.4.0","v5.4.1","v5.5.0","v5.5.1","v5.5.2","v5.5.3","v5.6.0","v5.7.0","v5.7.1","v5.7.2","v5.7.3","v5.8.0","v5.8.1","v5.9.0","v5.9.1","v5.9.2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27793.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}]}