Source: vega.js Version: 5.28.0+ds+~cs5.3.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for vega.js. CVE-2025-65110[0]: | Vega is a visualization grammar, a declarative format for creating, | saving, and sharing interactive visualization designs. Prior to | versions 6.1.2 and 5.6.3, applications meeting two conditions are at | risk of arbitrary JavaScript code execution, even if "safe mode" | expressionInterpreter is used. First, they use `vega` in an | application that attaches both `vega` library and a `vega.View` | instance similar to the Vega Editor to the global `window`, or has | any other satisfactory function gadgets in the global scope. Second, | they allow user-defined Vega `JSON` definitions (vs JSON that was is | only provided through source code). This vulnerability allows for | DOM XSS, potentially stored, potentially reflected, depending on how | the library is being used. The vulnerability requires user | interaction with the page to trigger. An attacker can exploit this | issue by tricking a user into opening a malicious Vega | specification. Successful exploitation allows the attacker to | execute arbitrary JavaScript in the context of the application’s | domain. This can lead to theft of sensitive information such as | authentication tokens, manipulation of data displayed to the user, | or execution of unauthorized actions on behalf of the victim. This | exploit compromises confidentiality and integrity of impacted | applications.Patched versions are available in `vega- | [email protected]` (requires ESM) for Vega v6 and `vega- | [email protected]` (no ESM needed) for Vega v5. As a workaround, do | not attach `vega` or `vega.View` instances to global variables or | the window as the editor used to do. This is a development-only | debugging practice that should not be used in any situation where | Vega/Vega-lite definitions can come from untrusted parties. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-65110 https://www.cve.org/CVERecord?id=CVE-2025-65110 [1] https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r Please adjust the affected versions in the BTS as needed. Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
