Mend.io Vulnerability Database

What is a CVE vulnerability ID? icon What is a WS vulnerability ID? icon What is an MSC vulnerability ID? icon
New vulnerability? Tell us about it!
icon

We found results for “

CVE-2025-32792

Good to know:

icon

Date: April 18, 2025

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using "ses" and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used "const", "let", and "class" bindings in the top-level scope of a "<script>" tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level "let", "const", or "class" bindings in "<script>" tags, or change these to "var" bindings to be reflected on "globalThis".

Severity Score

Related Resources (4)

https://nvd.nist.gov/vuln/detail/CVE-2025-32792
https://github.com/endojs/endo
https://github.com/endojs/endo/security/advisories/GHSA-h9w6-f932-gq62
https://www.mend.io/vulnerability-database/CVE-2025-32792

Severity Score

Weakness Type (CWE)

Exposure of Sensitive System Information to an Unauthorized Control Sphere

CWE-497

Top Fix

icon

Upgrade Version

Upgrade to version ses - 1.12.0;https://github.com/endojs/endo.git - ses@1.12.0

Learn More

CVSS v3.1

Base Score:
Attack Vector (AV): NETWORK
Attack Complexity (AC): LOW
Privileges Required (PR): NONE
User Interaction (UI): NONE
Scope (S): UNCHANGED
Confidentiality (C): HIGH
Integrity (I): NONE
Availability (A): NONE

Do you need more information?

Contact Us