CVE-2025-27793: 
JavaScript vulnerability analysis and mitigation

CVE-2025-27793 affects Vega, a visualization grammar for creating, saving, and sharing interactive visualization designs. The vulnerability was discovered in versions prior to 5.32.0 (corresponding to vega-functions prior to 5.17.0), where users running Vega/Vega-lite JSON definitions could execute unexpected JavaScript code when drawing graphs, unless using the vega-interpreter. The issue was disclosed on March 27, 2025 (GitHub Advisory).

The vulnerability stems from improper handling of RegExp.prototype[@@replace] functionality. When calling the replace function with a RegExp-like pattern, it invokes RegExp.prototype[@@replace], which can then execute an attacker-controlled exec function. The vulnerability is classified under CWE-87 (Improper Neutralization of Alternate XSS Syntax) and CWE-79 (Improper Neutralization of Input During Web Page Generation). The CVSS v4.0 score is 5.3 (Medium), with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N (NVD).

The vulnerability allows attackers to execute arbitrary JavaScript code when drawing graphs through Vega/Vega-lite JSON definitions. This could potentially lead to cross-site scripting attacks if an attacker can manipulate the event.view to gain access to eval functionality (GitHub Advisory).

The vulnerability has been fixed in Vega version 5.32.0 and vega-functions version 5.17.0. As a workaround, users can utilize Vega with the expression interpreter, which provides an alternative evaluation method that is not vulnerable to this attack. The interpreter can be enabled by setting the {ast: true} option during parsing and passing the interpreter as an option to the Vega View constructor (Vega Docs).