CVE-2025-14896 Overview
CVE-2025-14896 is a server-side request forgery (SSRF) vulnerability in the Vega visualization grammar library. The flaw resides in the convert() function when safeMode is enabled and the spec variable is passed as an array. Insufficient sanitization allows an attacker to bypass the safe mode protection and craft a malicious Vega diagram specification. The crafted specification can force the renderer to issue requests to arbitrary URLs, including file:// paths on the local file system. Successful exploitation leads to exposure of sensitive information from the host environment. The vulnerability is tracked under CWE-552: Files or Directories Accessible to External Parties.
Critical Impact
Remote, unauthenticated attackers can read local files and reach internal network resources by submitting crafted Vega specifications to vulnerable services such as Kroki.
Affected Products
- Kroki diagram rendering service consuming Vega specifications
- Applications embedding Vega convert() with safeMode enabled and array-based specs
- Downstream services rendering user-supplied Vega or Vega-Lite content
Discovery Timeline
- 2025-12-18 - CVE-2025-14896 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-14896
Vulnerability Analysis
Vega exposes a convert() helper used to load data referenced inside a chart specification. When operators enable safeMode, the function is expected to restrict outbound data loads to trusted destinations. The check fails when the spec argument is supplied as an array rather than a single object. In that path, URL inputs are not validated against the safe mode allow list. An attacker who can submit a specification to a service such as Kroki therefore controls the destination of server-side fetches. The resulting confidentiality impact is high while integrity and availability are unaffected, consistent with a classic SSRF and local file disclosure pattern.
Root Cause
The root cause is incomplete input sanitization in the array-handling branch of convert(). Safe mode logic only inspects scalar spec inputs and does not recurse into array elements. Each entry in the array bypasses the URL filter, so attacker-controlled values flow directly into the data loader.
Attack Vector
Exploitation occurs over the network without authentication or user interaction. The attacker submits a Vega specification containing a data load directive whose URL points to an internal HTTP endpoint, cloud metadata service, or file:/// resource. The vulnerable server fetches the resource and returns its contents within the rendered diagram or error response. Reference patches are available in the Kroki commit notification.
// No verified public proof-of-concept code is available.
// The vulnerability is triggered by supplying an array-form Vega `spec`
// whose data loader URL points to a file:// or internal HTTP resource
// while `safeMode` is enabled.
Detection Methods for CVE-2025-14896
Indicators of Compromise
- Outbound HTTP or file-scheme requests originating from Vega or Kroki processes to internal IP ranges, cloud metadata endpoints, or local paths.
- Vega specifications submitted by clients that contain array-form spec payloads with url fields referencing file://, 127.0.0.1, 169.254.169.254, or internal hostnames.
- Diagram render responses containing fragments of system files such as /etc/passwd or configuration data.
Detection Strategies
- Inspect application logs for Vega convert() invocations where the spec parameter is an array and contains a url property.
- Apply web application firewall rules that flag JSON request bodies containing file://, localhost, or RFC1918 addresses inside Vega/Vega-Lite payloads.
- Correlate diagram service egress traffic against an allow list of approved data sources.
Monitoring Recommendations
- Enable verbose request logging on Kroki and any service exposing Vega rendering to untrusted users.
- Alert on Vega/Kroki processes opening local files outside their working directory or initiating connections to non-public IP space.
- Track CWE-552 detections from static analysis across application repositories that import Vega.
How to Mitigate CVE-2025-14896
Immediate Actions Required
- Upgrade Kroki and any embedded Vega runtime to a version that includes the fix from commit f31093c.
- Restrict network egress from diagram-rendering hosts to a defined allow list, blocking access to metadata services and internal subnets.
- Reject Vega specifications containing array-form spec values until patched, or strip url fields server-side.
Patch Information
The upstream fix is referenced in the Kroki GitHub commit. Operators running Kroki should rebuild containers from the patched commit or later. Applications that embed Vega directly must update to a Vega release that enforces safeMode checks across both object and array spec inputs.
Workarounds
- Disable user-supplied Vega rendering paths until patched builds are deployed.
- Run the diagram service in a network namespace without access to internal HTTP endpoints or cloud metadata services.
- Mount the container filesystem read-only and remove access to sensitive paths such as /etc, /proc, and cloud credential files.
# Example egress restriction with iptables for a Kroki container host
iptables -A OUTPUT -d 169.254.169.254 -j DROP
iptables -A OUTPUT -d 10.0.0.0/8 -j DROP
iptables -A OUTPUT -d 172.16.0.0/12 -j DROP
iptables -A OUTPUT -d 192.168.0.0/16 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
