Hi,
CVE-2025-26619 is marked at fixed in version 5.31.0 and Debian/sid has
5.33.1. However I checked the code and CVE-2025-26619 is actually fixed
in vega 5.33.1, though through a different approach than the original
patch (commit 8fc129a).
The original fix in 5.31.0 removed function support entirely from
getScale() in packages/vega-functions/src/scales.js, accepting only strings.
Between 5.31 and 5.33, the code was refactored to accept functions
again, but with a guard using isRegisteredScale(). This function checks
for a private Symbol('vega_scale') property that is only set internally
by the scale registration mechanism (create() in
packages/vega-scale/src/scales.js). Since JavaScript Symbols are not
accessible from the Vega expression language, an attacker cannot forge a
function that passes this check — any arbitrary function passed via the
expression language will return undefined from getScale().
So while the code path looks superficially similar to the vulnerable
version (it still accepts functions), the Symbol-based guard provides
equivalent security to the original fix.
Best regards,
Xavier
