GHSA-829q-m3qg-ph8r · 深刻度: high · エコシステム: npm — Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application’s domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.Patched versions are available in `[email protected]` (requires ESM) for Vega v6 and `[email protected]` (no ESM needed) for Vega v5. As a workaround, do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do. This is a development-only debugging practice that should not be used in any situation where Vega/Vega-lite definitions can come from untrusted parties.
総合評価: CVE-2025-65110 は悪用リスクが高い(60.3/100)。CVSS 深刻度は高。悪用される可能性が高い(EPSS 0.45%、36 パーセンタイル) 根拠: 公開エクスプロイトが 1 件参照されています(Exploit-DB)。 推奨対応: 公開エクスプロイトが確認されています。影響範囲の確認、緩和策の適用、パッチ適用を優先してください。
リスクは変動します。再評価に基づき、本ページの表示内容を更新しています。
| EDB-ID | ソース | 種別 | 公開 | リンク |
|---|---|---|---|---|
| — | nvd_ref | exploit_tag | Exploit-DB ↗ |
EPSS は日次で悪用されやすさの相対度合いを推定します。パーセンタイルは採点済み CVE の中での相対位置(高いほど相対的に深刻)を示します。
| # | 日付 | 旧 EPSS スコア | 新 EPSS スコア | Δ(新 − 旧) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.04% | 0.45% | +0.41% |
| 2 | 2026-05-22 | 0.07% | 0.04% | -0.02% |
| 3 | 2026-01-06 | — | 0.07% | — |
EPSS の全履歴 (全 3 件)
この CVE の CVSS 指標。
| ベーススコア | バージョン | 深刻度 | ベクトル | 悪用しやすさ | 影響 | スコアの出典 |
|---|---|---|---|---|---|---|
| 8.1 | 3.1 | HIGH |
|
2.8 | 5.2 | [email protected] |
| 9.3 | 3.1 | CRITICAL |
|
2.8 | 5.8 | [email protected] |
GHSA-829q-m3qg-ph8r · 深刻度: high · エコシステム: npm — Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
not yet assigned | CVE-2025-65110 not yet assigned priority: Debian including 1 source packages (vega.js), 4 status rows across 4 suites (bookworm, forky, sid, trixie): open 2, resolved 2. | https://security-tracker.debian.org/tracker/CVE-2025-65110 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2025-65110 |
ubuntu
|
medium | CVE-2025-65110 medium priority: Ubuntu including 1 source packages (vega.js), 5 status rows across 5 suites (jammy, noble, plucky, questing, upstream): needs-triage 3, DNE 1, ignored 1. | https://ubuntu.com/security/CVE-2025-65110 |
| ベンダー | 製品 | バージョン | 生の CPE |
|---|---|---|---|
| vega_project | vega | < 5.6.3 | cpe:2.3:a:vega_project:vega:*:*:*:*:*:node.js:*:* |
| vega_project | vega | >= 6.0.0, < 6.1.2 | cpe:2.3:a:vega_project:vega:*:*:*:*:*:node.js:*:* |
| URL | タグ |
|---|---|
| https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r | Exploit Vendor Advisory |