{"id":"CVE-2025-32792","summary":"ses's global contour bindings leak into Compartment lexical scope","details":"SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used `const`, `let`, and `class` bindings in the top-level scope of a `\u003cscript\u003e` tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level `let`, `const`, or `class` bindings in `\u003cscript\u003e` tags, or change these to `var` bindings to be reflected on `globalThis`.","aliases":["GHSA-h9w6-f932-gq62"],"modified":"2026-04-10T05:25:14.438566Z","published":"2025-04-18T16:04:16.778Z","database_specific":{"cna_assigner":"GitHub_M","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32792.json","cwe_ids":["CWE-497"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32792.json"},{"type":"ADVISORY","url":"https://github.com/endojs/endo/security/advisories/GHSA-h9w6-f932-gq62"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32792"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/endojs/endo","events":[{"introduced":"0"},{"fixed":"9b6784831d37db948cdd61f6da1f3489e8f97906"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"1.12.0"}]}}],"versions":["@endo/base64@0.2.27","@endo/bundle-source@2.2.2","@endo/captp@2.0.9","@endo/check-bundle@0.2.5","@endo/cjs-module-analyzer@0.2.27","@endo/cli@0.1.14","@endo/compartment-mapper@0.7.7","@endo/daemon@0.1.14","@endo/eslint-config@0.5.1","@endo/eslint-plugin@0.4.1","@endo/eventual-send@0.15.5","@endo/far@0.2.5","@endo/import-bundle@0.2.47","@endo/init@0.5.43","@endo/lockdown@0.1.15","@endo/lp32@0.3.13","@endo/marshal@0.6.9","@endo/nat@4.1.14","@endo/netstring@0.3.13","@endo/promise-kit@0.2.43","@endo/ses-ava@0.2.27","@endo/static-module-record@0.7.6","@endo/stream-node@0.2.13","@endo/stream-types-test@0.1.24","@endo/stream@0.3.12","@endo/syrup@0.1.27","@endo/test262-runner@0.1.28","@endo/where@0.2.9","@endo/zip@0.2.27","SES-v0.10.0","SES-v0.10.1","SES-v0.10.2","SES-v0.10.3","SES-v0.11.0","SES-v0.11.1","SES-v0.12.3","SES-v0.12.4","SES-v0.7.0","SES-v0.7.1","SES-v0.7.2","SES-v0.7.3","SES-v0.7.4","SES-v0.7.5","SES-v0.7.6","SES-v0.7.7","SES-v0.8.0","SES-v0.9.0","SES-v0.9.1","compartment-mapper-v0.1.0","compartment-mapper-v0.2.0","compartment-mapper-v0.2.1","compartment-mapper-v0.2.3","harden-v0.0.5","harden-v0.0.6","harden-v0.0.7","harden-v0.0.8","harden-v0.1.0","harden-v0.2.0","make-hardener-v0.0.7","make-hardener-v0.0.9","make-hardener-v0.1.0","make-hardener-v0.1.2","ses-ava-v0.1.0","ses-integration-test@3.0.17","ses-v0.12.1","ses-v0.12.2","ses-v0.12.5","ses@0.15.17","transform-module-v0.4.0","transform-module-v0.4.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32792.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}]}