UBUNTU-CVE-2025-66648

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2025-66648

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-66648.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2025-66648

Upstream

CVE-2025-66648

Published

2026-01-05T22:15:00Z

Modified

2026-02-05T21:19:29.167657Z

Severity

7.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N CVSS Calculator
6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions 6.1.1. There is no workaround besides upgrading. Using vega.expressionInterpreter as described in CSP safe mode does not prevent this issue.

References

Affected packages

Ubuntu:24.04:LTS / vega.js

Package

Name: vega.js
Purl: pkg:deb/ubuntu/vega.js@5.25.0+ds+~cs5.3.0-5?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

5.*

5.25.0+ds+~cs5.3.0-2

5.25.0+ds+~cs5.3.0-5

Ecosystem specific

{
    "binaries": [
        {
            "binary_version": "5.25.0+ds+~cs5.3.0-5",
            "binary_name": "libjs-vega"
        },
        {
            "binary_version": "5.25.0+ds+~cs5.3.0-5",
            "binary_name": "node-vega"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2025/UBUNTU-CVE-2025-66648.json"

Ubuntu:25.10 / vega.js