5.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27793

GHSA ID

GHSA-963h-3v39-3pqf

EPSS Score

0.22254%

CWE

CWE-79

Published

3/27/2025

Updated

3/27/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-27793

CVE-2025-27793: Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

Impact

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Workarounds

Use vega with expression interpreter
Upgrade to a newer Vega version (5.32.0)

POC Summary

Calling replace with a RegExp-like pattern calls RegExp.prototype[@@replace], which can then call an attacker-controlled exec function.

POC Details

Consider the function call replace('foo', {__proto__: /h/.constructor.prototype, global: false}). Since pattern has RegExp.prototype[@@replace], pattern.exec('foo') winds up being called.

The resulting malicious call looks like this:

replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false})

Since functions cannot be returned from this, an attacker that wishes to escalate to XSS must abuse event.view to gain access to eval.

Reproduction steps

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","on":[{"events":"body:mousemove{99999}","update":"replace('alert(1)',{__proto__:/h/.constructor.prototype,exec:event.view.eval,global:false})"}]}]}

(GitHub Advisory)

5.3

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-27793

GHSA ID

GHSA-963h-3v39-3pqf

EPSS Score

0.22254%

CWE

CWE-79

Published

3/27/2025

Updated

3/27/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
vega	npm	< 5.32.0	5.32.0
vega-functions	npm	< 5.17.0	5.17.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security patch adds validation to the replace function in vega-functions to restrict pattern arguments to only strings/RegExps. This indicates:

The vulnerability existed in the unpatched replace function
The function processes user-controllable input (pattern argument)
The exploit POC directly triggers through this function via the 'update' signal handler
The function would appear in stack traces when processing malicious replace patterns

No other functions were modified in the provided patch, and the reproduction steps specifically target this string replacement mechanism.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Imp**t Us*rs runnin* V***/V***-lit* JSON ***initions *oul* run un*xp**t** J*v*S*ript *o** w**n *r*win* *r*p*s, unl*ss t** li*r*ry is us** wit* t** `v***-int*rpr*t*r`. ## Work*roun*s - Us* `v***` wit* [*xpr*ssion int*rpr*t*r](*ttps://v***.*it*u*

Reasoning

T** s**urity p*t** ***s v*li**tion to t** r*pl*** *un*tion in v***-*un*tions to r*stri*t p*tt*rn *r*um*nts to only strin*s/R***xps. T*is in*i**t*s: *. T** vuln*r**ility *xist** in t** unp*t**** r*pl*** *un*tion *. T** *un*tion pro**ss*s us*r-*ontrol

5.3

Basic Information

Concerned about an active attack path?

CVE-2025-27793: Vega vulnerable to Cross-site Scripting via RegExp.prototype[@@replace]

Impact

Workarounds

POC Summary

POC Details

Reproduction steps

5.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI