CVE-2025-65110

CVE-2025-65110 is a DOM-based cross-site scripting (XSS) vulnerability classified under CWE-79 in the Vega visualization grammar library, a declarative format for creating interactive visualizations. It affects applications using Vega versions prior to 6.1.2 and 5.6.3 that meet two specific conditions: attaching both the Vega library and a Vega.View instance to the global window object (similar to the Vega Editor) or having suitable function gadgets in the global scope, and allowing user-defined Vega JSON definitions from untrusted sources rather than only hardcoded JSON. Even when using the "safe mode" expressionInterpreter, this flaw enables arbitrary JavaScript code execution.

The vulnerability can be exploited remotely by any unauthenticated attacker (AV:N/PR:N) with low complexity (AC:L), though it requires user interaction (UI:R) such as opening a malicious Vega specification file. Exploitation occurs when a victim interacts with a web page hosting the vulnerable application, potentially leading to stored or reflected DOM XSS depending on implementation. Successful attacks allow arbitrary JavaScript execution in the context of the application's domain, compromising confidentiality and integrity (C:H/I:H) by enabling theft of sensitive data like authentication tokens, manipulation of displayed data, or unauthorized actions on the victim's behalf, with no impact on availability (A:N).

According to the GitHub security advisory (GHSA-829q-m3qg-ph8r), mitigation involves upgrading to patched versions: vega-selections@6.1.2 (requiring ESM) for Vega v6 or vega-selections@5.6.3 (no ESM needed) for Vega v5. As a workaround, avoid attaching Vega or Vega.View instances to global variables or the window object, a practice recommended only for development and not for environments handling untrusted Vega or Vega-Lite definitions. The CVSS v3.1 base score is 8.1 (High).