Vega Cross-Site Scripting Vulnerability via User-Defined Expressions

A cross-site scripting (XSS) vulnerability has been identified in Vega versions prior to 6.2.0. This issue arises in applications that attach the Vega library and a `vega.View` instance to the global `window`, similar to the Vega Editor, while also allowing user-defined Vega JSON definitions. The vulnerability exists even when the 'safe mode' expression interpreter is used, and can be exploited to execute arbitrary JavaScript code in the context of the application's domain.

Impact

Exploitation of this vulnerability allows for DOM-based XSS, potentially stored or reflected, depending on the application's use of the Vega library. The vulnerability requires user interaction to trigger, such as opening a malicious Vega specification.

Reproduction

To reproduce this vulnerability, create a Vega application that attaches the Vega library and a `vega.View` instance to the global `window`. Ensure that the application allows user-defined Vega JSON definitions. Once the application is set up, move the mouse over the visualization to trigger the XSS payload, which will execute arbitrary JavaScript in the context of the application.

Remediation

Upgrade to Vega version 6.2.0, or to `vega-expression` version 6.1.0 or `vega-interpreter` version 2.2.1 if using AST evaluator mode. For non-ESM environments, upgrade to `vega-expression` version 5.2.1 or 1.2.1 if using AST evaluator mode.