Your message dated Sun, 05 Apr 2026 19:48:35 +0000
with message-id <[email protected]>
and subject line Bug#1125184: fixed in vega.js 5.33.1+ds+~cs5.3.0-4
has caused the Debian Bug report #1125184,
regarding vega.js: CVE-2025-65110
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1125184: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1125184
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: vega.js
Version: 5.28.0+ds+~cs5.3.0-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for vega.js.
CVE-2025-65110[0]:
| Vega is a visualization grammar, a declarative format for creating,
| saving, and sharing interactive visualization designs. Prior to
| versions 6.1.2 and 5.6.3, applications meeting two conditions are at
| risk of arbitrary JavaScript code execution, even if "safe mode"
| expressionInterpreter is used. First, they use `vega` in an
| application that attaches both `vega` library and a `vega.View`
| instance similar to the Vega Editor to the global `window`, or has
| any other satisfactory function gadgets in the global scope. Second,
| they allow user-defined Vega `JSON` definitions (vs JSON that was is
| only provided through source code). This vulnerability allows for
| DOM XSS, potentially stored, potentially reflected, depending on how
| the library is being used. The vulnerability requires user
| interaction with the page to trigger. An attacker can exploit this
| issue by tricking a user into opening a malicious Vega
| specification. Successful exploitation allows the attacker to
| execute arbitrary JavaScript in the context of the application’s
| domain. This can lead to theft of sensitive information such as
| authentication tokens, manipulation of data displayed to the user,
| or execution of unauthorized actions on behalf of the victim. This
| exploit compromises confidentiality and integrity of impacted
| applications.Patched versions are available in `vega-
| [email protected]` (requires ESM) for Vega v6 and `vega-
| [email protected]` (no ESM needed) for Vega v5. As a workaround, do
| not attach `vega` or `vega.View` instances to global variables or
| the window as the editor used to do. This is a development-only
| debugging practice that should not be used in any situation where
| Vega/Vega-lite definitions can come from untrusted parties.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-65110
https://www.cve.org/CVERecord?id=CVE-2025-65110
[1] https://github.com/vega/vega/security/advisories/GHSA-829q-m3qg-ph8r
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: vega.js
Source-Version: 5.33.1+ds+~cs5.3.0-4
Done: Xavier Guimard <[email protected]>
We believe that the bug you reported is fixed in the latest version of
vega.js, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Xavier Guimard <[email protected]> (supplier of updated vega.js package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 05 Apr 2026 21:24:58 +0200
Source: vega.js
Architecture: source
Version: 5.33.1+ds+~cs5.3.0-4
Distribution: unstable
Urgency: medium
Maintainer: Debian Javascript Maintainers
<[email protected]>
Changed-By: Xavier Guimard <[email protected]>
Closes: 1125183 1125184
Changes:
vega.js (5.33.1+ds+~cs5.3.0-4) unstable; urgency=medium
.
* Fix XSS in vega-interpreter (Closes: #1125183, CVE-2025-59840)
* Fix XSS in vega-selections (Closes: #1125184, CVE-2025-65110)
Checksums-Sha1:
f6779659aa4118840c36342b73afb443b4ff3a18 3477 vega.js_5.33.1+ds+~cs5.3.0-4.dsc
2d8bcf1d1d4945563b45aa3e0bf345ebb9b979c2 10380
vega.js_5.33.1+ds+~cs5.3.0-4.debian.tar.xz
Checksums-Sha256:
01f299ed8b1229fe3378a7adc143771c19285fee0f550a79cc0afdd5159e6fdb 3477
vega.js_5.33.1+ds+~cs5.3.0-4.dsc
2bb96aff6fe8a70517df5f151acfe4a7360207cc23b66107717ce939b012cdf6 10380
vega.js_5.33.1+ds+~cs5.3.0-4.debian.tar.xz
Files:
0d0eb3ce0aafea73f82f3ff295629dd3 3477 javascript optional
vega.js_5.33.1+ds+~cs5.3.0-4.dsc
0bda13351a9ab695f2e5ff3ddde0828c 10380 javascript optional
vega.js_5.33.1+ds+~cs5.3.0-4.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEAN/li4tVV3nRAF7J9tdMp8mZ7ukFAmnSt8EACgkQ9tdMp8mZ
7ukowA/7BaNBNN27d6zLVoxl4cZaoSlhWLuzq4E8+vXYU14FYd1Plnv4f6gbRdgp
LXK6Vw8bujZzOSwZs+WuXWYUuRLienF7QflQbHPHA74J0+fRqcSP/qj1BW25I/rH
WsdWBVtHVDmk2ZL/2oK3dk3nVW3QHDAnZXI1T1axJZiFBEzzhVuJg9FRdgBhVE8F
NKa6pegZIxqJp1RmERNTpt9ekd/MObPIH2DkA6ZB2Jk9ezoR7gHqpE1vp038Cli0
kw5iQ5Ah6owfkTAp4d+aQjpIvDUD3OJiX3upuqGE5qfwaJOjQp2UC/2YM8moIWiX
NyM5675g9oOZ17XlTRfViQ9HcjntfHIZIaj51FNomK44xAURRcHSuU6DYXVPJ7zN
SwpGEWSOpc+lriPjE8RjEhg3k/16RjFZgcRWFON1FLqvqGuyyZCu76VEYu8meVT5
vcZvpp1vELSXdpufDYTR9tQmpszZXktwu8ao4K6SDBZG2pMGFcVAl1WuJXBZTxNk
8DsL+Kp6ISUnyV8JlW7y+9H9LwE2Mm9VH1zRSMPTZHTQZXIFjFym13jlAQGoj1Mw
45qKpjG6GU/j5klafBaWyqIXVhB3Qn8rKn3L0FpPiX6Fch1RUgjGMmXonud3jrN+
+NthgKIFcGp2LGDiIIEhUDwGztXC9vG+V+Mn2lyy0SEoS0/apKQ=
=YvKM
-----END PGP SIGNATURE-----
pgpOZF27QqUHa.pgp
Description: PGP signature
--- End Message ---
--
Pkg-javascript-devel mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
