CVE-2025-32792
Description
SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using ses and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used const, let, and class bindings in the top-level scope of a ` tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level let, const, or class bindings in tags, or change these to var bindings to be reflected on globalThis`.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
sesnpm | < 1.12.0 | 1.12.0 |
Affected products
2Patches
Vulnerability mechanics
References
3News mentions
0No linked articles in our index yet.