[Pkg-javascript-devel] Bug#1125183: vega.js: CVE-2025-59840
Salvatore Bonaccorso
carnil at debian.org
Sat Jan 10 12:58:48 GMT 2026
Source: vega.js
Version: 5.28.0+ds+~cs5.3.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for vega.js.
CVE-2025-59840[0]:
| Vega is a visualization grammar, a declarative format for creating,
| saving, and sharing interactive visualization designs. In Vega prior
| to version 6.2.0, applications meeting 2 conditions are at risk of
| arbitrary JavaScript code execution, even if "safe mode"
| expressionInterpreter is used. They are vulnerable if they use
| `vega` in an application that attaches `vega` library and a
| `vega.View` instance similar to the Vega Editor to the global
| `window` and if they allow user-defined Vega `JSON` definitions (vs
| JSON that was is only provided through source code). Patches are
| available in the following Vega applications. If using the latest
| Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression`
| `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode).
| If using Vega in a non-ESM environment, upgrade to `vega-expression`
| `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds
| are available. Do not attach `vega` View instances to global
| variables, and do not attach `vega` to the global window. These
| practices of attaching the vega library and View instances may be
| convenient for debugging, but should not be used in production or in
| any situation where vega/vega-lite definitions could be provided by
| untrusted parties.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-59840
https://www.cve.org/CVERecord?id=CVE-2025-59840
[1] https://github.com/vega/vega/security/advisories/GHSA-7f2v-3qq3-vvjf
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-javascript-devel
mailing list