Vega Functions Cross-Site Scripting Vulnerability

A cross-site scripting (XSS) vulnerability has been identified in the vega-functions package, which provides function implementations for the Vega expression language. This issue affects version 6.1.0 and prior, in sites that allow users to input untrusted data. The vulnerability arises from the misuse of an internal function, not part of the public API, which can be exploited to execute unintended JavaScript. The problem is fixed in vega-functions version 6.1.1. Notably, there is no workaround available except for upgrading, and using vega.expressionInterpreter in CSP safe mode does not mitigate the issue.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, create a Vega visualization that includes a signal with a timer event. Within the event handler, use the setdata function to manipulate a data source while injecting untrusted input, such as domain information and cookies. This payload can be crafted to include JavaScript code, which will be executed when the signal is processed.

Remediation

Upgrade to vega-functions version 6.1.1.