High severityNVD Advisory· Published Apr 18, 2025· Updated Apr 15, 2026

CVE-2025-32792

Description

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using ses and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used const, let, and class bindings in the top-level scope of a <script> tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level let, const, or class bindings in <script> tags, or change these to var bindings to be reflected on globalThis.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sesnpm	< 1.12.0	1.12.0

Patches

9b6784831d37

https://github.com/endojs/endovia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-h9w6-f932-gq62ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-32792ghsaADVISORY
github.com/endojs/endo/security/advisories/GHSA-h9w6-f932-gq62nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000