Source: vega.js Version: 5.28.0+ds+~cs5.3.0-1 Severity: important Tags: security upstream Forwarded: https://github.com/vega/vega/issues/3984 X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for vega.js. CVE-2025-26619[0]: | Vega is a visualization grammar, a declarative format for creating, | saving, and sharing interactive visualization designs. In `vega` | 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was | possible to call JavaScript functions from the Vega expression | language that were not meant to be supported. The issue is patched | in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds | are available. Run `vega` without `vega.expressionInterpreter`. This | mode is not the default as it is slower. Alternatively, using the | interpreter described in CSP safe mode (Content Security Policy) | prevents arbitrary Javascript from running, so users of this mode | are not affected by this vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-26619 https://www.cve.org/CVERecord?id=CVE-2025-26619 [1] https://github.com/vega/vega/issues/3984 [2] https://github.com/vega/vega/security/advisories/GHSA-rcw3-wmx7-cphr [3] https://github.com/vega/vega/commit/8fc129a6f8a11e96449c4ac0f63de0e5bfc7254c Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
