CVE-2025-59840: 
JavaScript vulnerability analysis and mitigation

CVE-2025-59840 is a high-severity Cross-Site Scripting (XSS) vulnerability discovered in Vega, a visualization grammar library. The vulnerability was disclosed on November 13, 2025, affecting Vega versions prior to 6.2.0. The flaw exists in applications that attach the Vega library and a Vega.View instance to the global window while allowing user-defined Vega JSON definitions (GitHub Advisory).

The vulnerability allows arbitrary JavaScript code execution even when using the 'safe mode' expressionInterpreter. The flaw stems from improper input sanitization that enables attackers to abuse toString calls in environments using the VEGA_DEBUG global variable. The vulnerability has received a CVSS v3.1 base score of 8.1 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N, indicating network accessibility with low attack complexity and no privileges required, though user interaction is necessary (GitHub Advisory).

Successful exploitation of this vulnerability allows attackers to execute arbitrary JavaScript in the context of the application's domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. The exploit compromises both confidentiality and integrity of impacted applications (GitHub Advisory).

Users are advised to upgrade to Vega 6.2.0, vega-expression 6.1.0, and vega-interpreter 2.2.1 (if using AST evaluator mode) for the latest Vega line (6.x). For non-ESM environments, upgrade to vega-expression 5.2.1 or 1.2.1. As temporary workarounds, users should avoid attaching Vega View instances to global variables and prevent attaching Vega to the global window. These practices, while convenient for debugging, should not be used in production environments or situations where untrusted parties can provide Vega/Vega-lite definitions (GitHub Advisory).