Your message dated Sun, 05 Apr 2026 09:33:33 +0000
with message-id <[email protected]>
and subject line Bug#1125185: fixed in vega.js 5.33.1+ds+~cs5.3.0-2
has caused the Debian Bug report #1125185,
regarding vega.js: CVE-2025-66648
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125185: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125185
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vega.js
Version: 5.28.0+ds+~cs5.3.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for vega.js.
CVE-2025-66648[0]:
| vega-functions provides function implementations for the Vega
| expression language. Prior to version 6.1.1, for sites that allow
| users to supply untrusted user input, malicious use of an internal
| function (not part of the public API) could be used to run
| unintentional javascript (XSS). This issue is fixed in vega-
| functions `6.1.1`. There is no workaround besides upgrading. Using
| `vega.expressionInterpreter` as described in CSP safe mode does not
| prevent this issue.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-66648
https://www.cve.org/CVERecord?id=CVE-2025-66648
[1] https://github.com/vega/vega/security/advisories/GHSA-m9rg-mr6g-75gm
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vega.js
Source-Version: 5.33.1+ds+~cs5.3.0-2
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vega.js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated vega.js package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Apr 2026 11:15:12 +0200
Source: vega.js
Architecture: source
Version: 5.33.1+ds+~cs5.3.0-2
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1125185
Changes:
vega.js (5.33.1+ds+~cs5.3.0-2) unstable; urgency=medium
.
* Team upload
* Fix XSS in vega-functions (Closes: #1125185, CVE-2025-66648)
Checksums-Sha1:
4c575a44899b899e6291244bb5361282da85df8f 3442 vega.js_5.33.1+ds+~cs5.3.0-2.dsc
308f760ec0fcf058567bb9a9580a923eec6b321d 9600
vega.js_5.33.1+ds+~cs5.3.0-2.debian.tar.xz
Checksums-Sha256:
8c5f20c4392d198ea7f6cee70149e2731c7b08e85d80dde24734405df873e635 3442
vega.js_5.33.1+ds+~cs5.3.0-2.dsc
aaf88b87b647d61cf8324a2fe0b8ad09c571b27597ddcb39885086846d0decc1 9600
vega.js_5.33.1+ds+~cs5.3.0-2.debian.tar.xz
Files:
9ff1babe2cbdb085bca7aa725d1268c1 3442 javascript optional
vega.js_5.33.1+ds+~cs5.3.0-2.dsc
4d6a12a60f5169619bce77399559b279 9600 javascript optional
vega.js_5.33.1+ds+~cs5.3.0-2.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnSKOwACgkQ9tdMp8mZ
7ulDbA/8CTk4/pcYja5Bq2Fq2+f+1Nrylnny+9HLkY0BZNc16qr5cG6gigp3beXU
81Ofhr/YfUapK4mnWjdgivetdhYn0FJtuyTNi4YPVgKaGUfTGLdY8P0AN8+WuOUA
C5Khxf9aV2+pa6HjGxN7yRNirHk/fZ/lXuC71AzBvA2ts3y10wN6PE236KroFzLu
3AuwToBV+yvthF7AE8dYxHQ9u2CZMLqYKudl0gRR3l6Ciifrvrokccs4SbRRsvVK
kjZiO3lLvBy0bw7uksdIDAhw8GlslxeLW+JxXX6Y5doypAkM80xce+RApf5vAo9k
DPh95vUfWCIrjmkIVzDWAlRFX4vhjoJsY0XVzagYJ6uRjggPij0bMBH6iN5QiabB
qoRa+ux4QH9XYWDnJqNZ6hVy1krLvjnDy+/LFQUzrqqp5GFwQjGk/uC9C46lMqth
whivE5xloDeGh2qzGYWpMxtI10TkblxdUWeGvUtOI3c2qSn71YzmnPDUctWSKwQH
9ZBY5jNa2dLkJnd7/B9tGdjVEBqZGOF3XD7dXhkL9as9zPTOeSws7NBCWfPIIu26
sQSBq3044Vg3SVEqzcilEqM01N55RlT0+KSKABER4XjQx/48hWNJ3zGs3gDhuL0+
gVBYEC7Dq8cPipYawoUEEZfKHVSWKBC6KhOBbSWbVviwwKMX6hQ=
=rysy
-----END PGP SIGNATURE-----
pgpiFaBRBlZRZ.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
