Source: vega.js Version: 5.28.0+ds+~cs5.3.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for vega.js. CVE-2025-66648[0]: | vega-functions provides function implementations for the Vega | expression language. Prior to version 6.1.1, for sites that allow | users to supply untrusted user input, malicious use of an internal | function (not part of the public API) could be used to run | unintentional javascript (XSS). This issue is fixed in vega- | functions `6.1.1`. There is no workaround besides upgrading. Using | `vega.expressionInterpreter` as described in CSP safe mode does not | prevent this issue. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-66648 https://www.cve.org/CVERecord?id=CVE-2025-66648 [1] https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
