CVE-2025-25304: 
JavaScript vulnerability analysis and mitigation

Vega, a visualization grammar for creating interactive visualization designs, disclosed a cross-site scripting vulnerability (CVE-2025-25304) affecting versions prior to 5.26.0 of vega and 5.4.2 of vega-selections. The vulnerability was discovered and reported on February 14, 2025, impacting the vlSelectionTuples function which could be exploited to execute arbitrary JavaScript code (GitHub Advisory).

The vulnerability exists in the vlSelectionTuples function, which can be manipulated to call JavaScript functions with attacker-controlled arguments. The function contains multiple vulnerable function calls that can be controlled by an attacker. The exploit can be achieved by calling Function() with arbitrary JavaScript, and the resulting function can be executed either through vlSelectionTuples or by using type coercion to call toString or valueOf. The vulnerability has been assigned a CVSS v4.0 score of 6.9 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code through cross-site scripting attacks. This could potentially lead to unauthorized access to sensitive information, session hijacking, or other malicious activities typically associated with XSS vulnerabilities (GitHub Advisory).

Users are advised to upgrade to Vega version 5.26.0 or later and vega-selections version 5.4.2 or later, which contain the security fixes for this vulnerability. The fix implements additional validation and protection mechanisms against XSS attacks through the introduction of a SELECTION_GETTER symbol and proper field accessor registration (GitHub Commit).