CVE-2025-32792: ses's global contour bindings leak into Compartment lexical scope

8.7 CVSS

Description

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used `const`, `let`, and `class` bindings in the top-level scope of a `` tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level `let`, `const`, or `class` bindings in `` tags, or change these to `var` bindings to be reflected on `globalThis`.

Classification

CVE ID: CVE-2025-32792

CVSS Base Severity: HIGH

CVSS Base Score: 8.7

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem Types

CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere

Affected Products

Vendor: endojs

Product: endo

References

https://nvd.nist.gov/vuln/detail/CVE-2025-32792
https://github.com/endojs/endo/security/advisories/GHSA-h9w6-f932-gq62

Timeline

2025-04-18 17:40:15 UTC
CVE

ses's global contour bindings leak into Compartment lexical scope