{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "1.12.0" } ] }, "events": [ { "introduced": "0" }, { "fixed": "9b6784831d37db948cdd61f6da1f3489e8f97906" } ], "repo": "https://github.com/endojs/endo", "type": "GIT" } ] } ], "aliases": [ "GHSA-h9w6-f932-gq62" ], "database_specific": { "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-497" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32792.json" }, "details": "SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used `const`, `let`, and `class` bindings in the top-level scope of a `\u003cscript\u003e` tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level `let`, `const`, or `class` bindings in `\u003cscript\u003e` tags, or change these to `var` bindings to be reflected on `globalThis`.", "id": "CVE-2025-32792", "modified": "2026-03-10T21:53:25.494421756Z", "published": "2025-04-18T16:04:16.778Z", "references": [ { "type": "ADVISORY", "url": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32792.json" }, { "type": "ADVISORY", "url": "https://github.com/endojs/endo/security/advisories/GHSA-h9w6-f932-gq62" }, { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-32792" } ], "schema_version": "1.7.3", "severity": [ { "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N", "type": "CVSS_V4" } ], "summary": "ses's global contour bindings leak into Compartment lexical scope" }