[GHSA-7f2v-3qq3-vvjf] Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEGA_DEBUG global variable#6416
Conversation
|
Hi there @hydrosquall! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
There was a problem hiding this comment.
Pull Request Overview
This PR corrects a typo in the Vega security advisory GHSA-7f2v-3qq3-vvjf. The patched version was incorrectly listed as "6.20" instead of the proper semantic version "6.2.0".
- Corrected the fixed version from "6.20" to "6.2.0" in the security advisory
- Updated the modification timestamp to reflect the change
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
0154288
into
kachkaev/advisory-improvement-6416
|
Hi @kachkaev! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
Thanks so much @kachkaev for fixing this!
…On Fri, Nov 14, 2025 at 11:06 AM advisory-database[bot] < ***@***.***> wrote:
*advisory-database[bot]* left a comment (github/advisory-database#6416)
<#6416 (comment)>
Hi @kachkaev <https://github.com/kachkaev>! Thank you so much for
contributing to the GitHub Advisory Database. This database is free, open,
and accessible to all, and it's people like you who make it great. Thanks
for choosing to help others. We hope you send in more contributions in the
future!
—
Reply to this email directly, view it on GitHub
<#6416 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACE2MMZ2FBJNJRCLSRLOJYD34X4W7AVCNFSM6AAAAACMB7M2LSVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKMZTGQ3DONJQGE>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Updates
Comments
Typo in vega version. Currently patched version (wrong): 6.20, actual (correct): 6.2.0