DOM XSS via Gadget Chain in Vega `vlSelectionTuples`

Vega is a widely adopted declarative language for creating, saving, and sharing interactive visualization designs. While Vega implements a secure, sandboxed environment for evaluating expressions within visualization specifications, this security model relies on the integrity of exposed internal functions. The vulnerability (CVE-2025-65110) resides in vega-selections, a package responsible for handling interactive selections.

The specific flaw exists in the vlSelectionTuples function. This function is exposed to the runtime expression evaluator but lacks necessary type enforcement on its arguments. In JavaScript, method calls are dynamic; if a function expects an array and calls .map() on it, passing an object with a map property pointing to a function will execute that function instead. This behavior allows an attacker to break out of the intended logic flow.

By injecting a malicious Vega specification, an attacker can invoke vlSelectionTuples with a crafted JavaScript object. If the application environment exposes certain global variables (common in debugging scenarios), this object can reference existing functions (gadgets) to execute arbitrary code, effectively bypassing the sandbox and resulting in DOM-based Cross-Site Scripting (XSS).

The root cause of this vulnerability is Improper Input Validation (CWE-20) leading to Improper Neutralization of Input During Web Page Generation (CWE-79). Specifically, the vlSelectionTuples function assumes its input is an array without verification.

The vulnerable code pattern performs an operation similar to return input.map(...). In a secure context, the developer assumes input is data generated by the visualization engine. However, because vlSelectionTuples is accessible via Vega signals, an attacker can control the input argument.

This vulnerability exploits JavaScript's duck-typing. When the engine executes input.map(), it looks up the map property on input. If input is a plain JSON object constructed by an attacker—{"map": ...}—the engine executes whatever function is referenced by that property. The this context inside that function becomes the attacker's object. If the attacker references a "gadget" function (a function that performs dangerous actions based on this properties), they can manipulate the execution flow to invoke sinks like eval() or Function().

The vulnerability is located in the vega-selections package. Below is a comparison of the vulnerable logic and the remediation applied in versions 5.6.3 and 6.1.2.

Vulnerable Code

In the unpatched version, the code directly invokes .map() on the first argument, blindly trusting it is an array.

// vega-selections/src/selection.js (Simplified)
 
export function vlSelectionTuples(input, ...) {
  // VULNERABILITY: No check to ensure 'input' is actually an array.
  // An attacker can pass an object with a 'map' function.
  return input.map(function(d) {
    return { ... };
  });
}

Patched Code

The fix introduces an explicit type check using Array.isArray(). This simple validation ensures that only genuine arrays are processed, neutralizing the gadget attack vector because plain objects will fail this check.

// vega-selections/src/selection.js (Patched)
 
export function vlSelectionTuples(input, ...) {
  // FIX: Explicitly validate that input is an array.
  if (!Array.isArray(input)) {
    return [];
  }
 
  // Safe to call .map() now that we know it's an array.
  return input.map(function(d) {
    return { ... };
  });
}

Exploiting this vulnerability requires a "gadget chain." A gadget is a piece of existing code in the application that can be repurposed for malicious ends. For Vega, a common gadget is found when debugging tools or the vega object itself are exposed globally.

The Attack Vector

1. Injection: The attacker provides a Vega JSON specification. Inside a signals definition, they define a signal that calls vlSelectionTuples.
2. Gadget Selection: The attacker passes an object literal instead of an array. The map property of this object is set to a function that executes logic on this. A known gadget in Vega ecosystems is VEGA_DEBUG.vega.CanvasHandler.prototype.on.
3. Payload Execution: The on function iterates over handlers defined in this. By controlling properties like _handlers and _handlerIndex on the malicious object, the attacker directs the gadget to call window.eval or fetch.

Proof of Concept Payload

{
  "signals": [
    {
      "name": "exploit",
      "update": "vlSelectionTuples({'map': VEGA_DEBUG.vega.CanvasHandler.prototype.on, 'eventName': 'log', '_handlers': ['alert(document.domain)'], '_handlerIndex': window.eval})"
    }
  ]
}

> [!WARNING] > This exploit relies on the availability of a suitable gadget in the global scope. If VEGA_DEBUG or similar objects are not exposed, exploitation becomes significantly harder, though not theoretically impossible if other gadgets exist.

The impact of CVE-2025-65110 is classified as High (CVSS 8.1). Successful exploitation results in arbitrary JavaScript execution within the context of the user's browser.

• Confidentiality: Attackers can access sensitive data accessible to the client script, including session cookies (if not HttpOnly), local storage tokens, and user data displayed in the application.
• Integrity: The attacker can modify the DOM, deface the application, or inject phishing forms to steal credentials.
• Scope: The vulnerability affects any application rendering user-supplied Vega specifications without strict sanitization or sandboxing, particularly those that expose Vega internals for debugging.

While the EPSS score is currently low (0.08%), the availability of a clear PoC and the popularity of Vega in data science dashboards increases the likelihood of targeted exploitation.

Immediate patching is the primary recommendation. The vulnerability is resolved in vega-selections versions 5.6.3 (for Vega 5.x) and 6.1.2 (for Vega 6.x).

Upgrade Steps

Developers using npm or yarn should update their lockfiles to ensure the transitive dependency vega-selections is resolved to a safe version.

# Check current version
npm list vega-selections
 
# Update dependencies
npm update vega vega-selections

Defense in Depth

If immediate patching is not feasible, the following mitigations reduce risk:

1. Remove Global Exposure: Ensure that VEGA_DEBUG, vega, and view instances are not attached to the window object in production environments. This breaks the specific gadget chain used in the known PoC.
2. Content Security Policy (CSP): Implement a strict CSP that disallows unsafe-eval. This prevents the window.eval sink from executing the payload, even if the gadget chain is triggered.