// For flags

CVE-2025-32792

ses's global contour bindings leak into Compartment lexical scope

Severity Score

8.7
*CVSS v4

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

Attend
*SSVC
Descriptions

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used `const`, `let`, and `class` bindings in the top-level scope of a `<script>` tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level `let`, `const`, or `class` bindings in `<script>` tags, or change these to `var` bindings to be reflected on `globalThis`.

SES ejecuta de forma segura programas JavaScript de terceros en modo estricto en compartimentos sin exceso de autoridad en su ámbito global. Antes de la versión 1.12.0, las páginas web y extensiones que usaban `ses` y la API de Compartimiento para evaluar código de terceros en un entorno de ejecución aislado, y que también utilizaban enlaces `const`, `let` y `class` en el ámbito de nivel superior de una etiqueta `

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Attack Requirements
None
Privileges Required
None
User Interaction
None
System
Vulnerable | Subsequent
Confidentiality
High
None
Integrity
None
None
Availability
None
None
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
High
Availability
None
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:Attend
Exploitation
None
Automatable
Yes
Tech. Impact
Partial
* Organization's Worst-case Scenario
Timeline
  • 2025-04-10 CVE Reserved
  • 2025-04-18 CVE Published
  • 2025-04-21 CVE Updated
  • 2025-05-04 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
CAPEC
References (1)
URL Tag Source
https://github.com/endojs/endo/security/advisories/GHSA-h9w6-f932-gq62 X_refsource_confirm
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Endojs
Search vendor "Endojs"
 Endo
Search vendor "Endojs" for product "Endo"
 < 1.12.0
Search vendor "Endojs" for product "Endo" and version " < 1.12.0"
en
Affected