CVE-2025-65110
8.10.04%
Chart of Doom: Hijacking Vega's .map() for DOM XSS
Alon Barad
Software EngineerJan 6, 2026·7 min read·5 visits
PoC Available
Executive Summary (TL;DR)
Vega blindly trusts that an input is an Array before calling `.map()` on it. Attackers can pass a malicious object instead, hijacking the method call to trigger 'gadgets' like `CanvasHandler.prototype.on`. In environments where debug globals are exposed, this chains directly into `eval()`, turning your innocent bar chart into a remote shell.
A high-severity DOM-based Cross-Site Scripting (XSS) vulnerability in the Vega visualization library. By exploiting a type confusion flaw in the `vega-selections` package, attackers can perform method hijacking to execute arbitrary JavaScript code via crafted JSON specifications.
Technical Appendix
CVSS Score
8.1/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:NEPSS Probability
0.04%
Top 100% most exploited
Affected Systems
Vega visualization library (v5 and v6)Applications rendering user-supplied Vega JSONJupyter Notebook environments using Altair/VegaKibana (if using older Vega plugins)
Affected Versions Detail
| Product | Affected Versions | Fixed Version |
|---|---|---|
vega-selections vega | < 5.6.3 | 5.6.3 |
vega-selections vega | >= 6.0.0, < 6.1.2 | 6.1.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-79 |
| Attack Vector | Network (DOM-based) |
| CVSS v3.1 | 8.1 (High) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Exploit Status | PoC Available |
| Patch Date | 2026-01-05 |
MITRE ATT&CK Mapping
CWE-79
Cross-site Scripting
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Known Exploits & Detection
Vulnerability Timeline
CVE Published
2026-01-05
Patch Released
2026-01-05
Advisory GHSA-829q-m3qg-ph8r Released
2026-01-05