CVE-2025-14896

Published: Dec 18, 2025

Modified: Dec 18, 2025

PUBLISHED

CVSS v3.1

7.5

HIGH

Description

due to insufficient sanitazation in Vega’s `convert()` function when `safeMode` is enabled and the spec variable is an array. An attacker can craft a malicious Vega diagram specification that will allow them to send requests to any URL, including local file system paths, leading to exposure of sensitive information.

Vendor	Product	Versions
yuzutech	kroki	affected `0 - < *`

Weaknesses (CWE)

CWE-552

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

References

https://github.com/yuzutech/kroki/commit/f31093cd8a0a1d6999c43d560f62d1e82d59c77e

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2025-14896

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References