VYPR
High severityOSV Advisory· Published Apr 18, 2025· Updated Apr 15, 2026

CVE-2025-32792

CVE-2025-32792

Description

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using ses and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used const, let, and class bindings in the top-level scope of a ` tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level let, const, or class bindings in tags, or change these to var bindings to be reflected on globalThis`.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
sesnpm
< 1.12.01.12.0

Affected products

2
  • Range: @endo/base64@0.2.27, @endo/bundle-source@2.2.2, @endo/captp@2.0.9, …
  • ghsa-coords
    Range: < 1.12.0

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.