CVE-2025-65110: Vega XSS via expression abusing vlSelectionTuples function array map calls in environments with satisfactory function gadgets in the global scope

January 5, 2026 (updated January 6, 2026)

Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that sets a map value with a function copied from the window that results in calling this.foo(this.bar) can be passed to the vlSelectionTuples function, calling the copied map function, allowing DOM XSS to be achieved.

In practice, an accessible gadget like this exists in the global VEGA_DEBUG code.

vlSelectionTuples({
map: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on,
eventName: event.view.console.log,
_handlers:{
undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'
},
_handlerIndex: event.view.eval
})

References

Code Behaviors & Features

Detect and mitigate CVE-2025-65110 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →