Source: vega.js Version: 5.28.0+ds+~cs5.3.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for vega.js. CVE-2025-59840[0]: | Vega is a visualization grammar, a declarative format for creating, | saving, and sharing interactive visualization designs. In Vega prior | to version 6.2.0, applications meeting 2 conditions are at risk of | arbitrary JavaScript code execution, even if "safe mode" | expressionInterpreter is used. They are vulnerable if they use | `vega` in an application that attaches `vega` library and a | `vega.View` instance similar to the Vega Editor to the global | `window` and if they allow user-defined Vega `JSON` definitions (vs | JSON that was is only provided through source code). Patches are | available in the following Vega applications. If using the latest | Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression` | `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode). | If using Vega in a non-ESM environment, upgrade to `vega-expression` | `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds | are available. Do not attach `vega` View instances to global | variables, and do not attach `vega` to the global window. These | practices of attaching the vega library and View instances may be | convenient for debugging, but should not be used in production or in | any situation where vega/vega-lite definitions could be provided by | untrusted parties. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59840 https://www.cve.org/CVERecord?id=CVE-2025-59840 [1] https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
