[From nobody Sun Apr 5 20:51:05 2026 Received: (at submit) by bugs.debian.org; 10 Jan 2026 12:58:51 +0000 X-Spam-Checker-Version: SpamAssassin 4.0.1-bugs.debian.org_2005_01_02 (2024-03-25) on buxtehude.debian.org X-Spam-Level: X-Spam-Status: No, score=-8.5 required=4.0 tests=BAYES_00, FOURLA, FROMDEVELOPER, FVGT_m_MULTI_ODD,KHOP_HELO_FCRDNS,RCVD_IN_VALIDITY_CERTIFIED_BLOCKED, RCVD_IN_VALIDITY_RPBL_BLOCKED,RCVD_IN_VALIDITY_SAFE_BLOCKED, RDNS_DYNAMIC,SPF_HELO_NONE,SPF_NONE,XMAILER_REPORTBUG autolearn=ham autolearn_force=no version=4.0.1-bugs.debian.org_2005_01_02 X-Spam-Bayes: score:0.0000 Tokens: new, 26; hammy, 148; neutral, 104; spammy, 2. spammytokens:0.995-+--designs, 0.985-+--View hammytokens:0.000-+--H*F:U*carnil, 0.000-+--XDebbugsCc, 0.000-+--X-Debbugs-Cc, 0.000-+--HTo:N*Debian, 0.000-+--H*Ad:N*Bug Return-path: <carnil@debian.org> Received: from c-82-192-244-13.customer.ggaweb.ch ([82.192.244.13]:59698 helo=eldamar.lan) by buxtehude.debian.org with esmtp (Exim 4.96) (envelope-from <carnil@debian.org>) id 1veYYM-00EuI8-0Q for submit@bugs.debian.org; Sat, 10 Jan 2026 12:58:51 +0000 Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: Salvatore Bonaccorso <carnil@debian.org> To: Debian Bug Tracking System <submit@bugs.debian.org> Subject: vega.js: CVE-2025-59840 Message-ID: <176804992899.164542.3289146865165025736.reportbug@eldamar.lan> X-Mailer: reportbug 13.2.0 Date: Sat, 10 Jan 2026 13:58:48 +0100 Delivered-To: submit@bugs.debian.org Source: vega.js Version: 5.28.0+ds+~cs5.3.0-1 Severity: important Tags: security upstream X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org> Hi, The following vulnerability was published for vega.js. CVE-2025-59840[0]: | Vega is a visualization grammar, a declarative format for creating, | saving, and sharing interactive visualization designs. In Vega prior | to version 6.2.0, applications meeting 2 conditions are at risk of | arbitrary JavaScript code execution, even if "safe mode" | expressionInterpreter is used. They are vulnerable if they use | `vega` in an application that attaches `vega` library and a | `vega.View` instance similar to the Vega Editor to the global | `window` and if they allow user-defined Vega `JSON` definitions (vs | JSON that was is only provided through source code). Patches are | available in the following Vega applications. If using the latest | Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression` | `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode). | If using Vega in a non-ESM environment, upgrade to `vega-expression` | `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds | are available. Do not attach `vega` View instances to global | variables, and do not attach `vega` to the global window. These | practices of attaching the vega library and View instances may be | convenient for debugging, but should not be used in production or in | any situation where vega/vega-lite definitions could be provided by | untrusted parties. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-59840 https://www.cve.org/CVERecord?id=CVE-2025-59840 [1] https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf Please adjust the affected versions in the BTS as needed. Regards, Salvatore ]