| Name | CVE-2025-27793 |
| Description | Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1125182 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| vega.js (PTS) | bookworm | 5.22.1+ds+~3.1.0-4 | vulnerable |
| forky, trixie | 5.28.0+ds+~cs5.3.0-1 | vulnerable | |
| sid | 5.28.0+ds+~cs5.3.0-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| vega.js | source | (unstable) | (unfixed) | 1125182 |
https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf
Fixed by: https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966 (v5.32.0)