Re: CVE-2025-66648 -> not affected

Sat, 04 Apr 2026 23:57:36 -0700 

Le 05/04/2026 à 08:39, Xavier a écrit :

Le 05/04/2026 à 08:28, Xavier a écrit :

Le 04/04/2026 à 16:40, Moritz Mühlenhoff a écrit :

On Sat, Apr 04, 2026 at 10:19:43AM +0200, Salvatore Bonaccorso wrote:

Hi Xavier,

On Sat, Apr 04, 2026 at 08:24:30AM +0200, Xavier wrote:

Hi,
CVE-2025-66648 is just for vega.js 6.1.0 and fixed in 6.1.1, so vega.js 
isn't affected.


What is the fixing change so we can properly track it in the
security-tracker?

Things are not very clear to me with
https://github.com/vega/vega/commits/v6.1.1/ .
The advisory data appears to be incorrect, the changes between 6.1.0 and 6.1.1 only 
bump the versions string:

--------------------------------------------------
$ diff -Naur vega-6.1.0 vega-6.1.1 | diffstat
  docs/vega-core.js              |    2 +-
  docs/vega-core.min.js          |    2 +-
  docs/vega.js                   |    2 +-
  docs/vega.min.js               |    2 +-
  packages/vega-cli/package.json |    4 ++--
  packages/vega/package.json     |    2 +-
  6 files changed, 7 insertions(+), 7 deletions(-)
--------------------------------------------------

Cheers,
         Moritz


Hi,
the fix may be in https://github.com/vega/vega/commit/47afa04f, included in 6.1.1 but not 6.2.0... Difficult to find information in the repo... 

Oh,
it seems to be a npm-only published fix! I can see this commit into a diff between "npm install [email protected]" and "npm install vega- [email protected]" 

$ diff -aburN 6.1.*/vega-functions/build/vega-functions.js
--- 6.1.0/vega-functions/build/vega-functions.js        2026-04-05 08:32:08.183581218 +0200 +++ 6.1.1/vega-functions/build/vega-functions.js        2026-04-05 08:32:24.191086855 +0200 
@@ -251,6 +251,16 @@
  function removePredicate(props) {
    return _ => equalObject(props, _);
  }
+
+/**
+ * Modify data in a dataset.
+ * @param {string} name - Dataset name
+ * @param {Array|Object} insert - Data to insert
+ * @param {boolean|Array|Object} remove - true to remove all, array/ tuple to remove, or object to match 
+ * @param {Object} toggle - Data to toggle
+ * @param {Object|Array} modify - Tuple or array of tuples to modify
+ * @param {Object} values - Field values to update
+ */
  function modify (name, insert, remove, toggle, modify, values) {
    const df = this.context.dataflow,
      data = this.context.data[name],
@@ -287,6 +297,9 @@
      }
    }
    if (modify) {
+    if (isFunction(modify)) {
+      throw Error('modify parameter must be a data tuple, not a function'); 
+    }
      for (key in values) {
        changes.modify(modify, key, values[key]);
      }


And so current vega.js is really vulnerable

Reply via email to