CVE-2025-27793

Publication date 27 March 2025

Last updated 2 April 2025

Ubuntu priority

Description

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter.

Status

Show unmaintained releases

Package	Ubuntu Release	Status
vega.js	25.10 questing	Needs evaluation
	25.04 plucky	Ignored end of life, was needs-triage
	24.10 oracular	Ignored end of life, was needs-triage
	24.04 LTS noble	Needs evaluation
	22.04 LTS jammy	Not in release
	20.04 LTS focal	Not in release

How can I get the fixes?
What do statuses mean?

References

MITRE
NVD
Launchpad
Debian

Other references

https://www.cve.org/CVERecord?id=CVE-2025-27793
https://github.com/vega/vega/commit/694560c0aa576df8b6c5f0f7d202ac82233e6966
https://github.com/vega/vega/releases/tag/v5.32.0
https://github.com/vega/vega/security/advisories/GHSA-963h-3v39-3pqf
https://vega.github.io/vega/usage/interpreter

CVE-2025-27793

Description

Status

References

Other references

Access our resources on patching vulnerabilities