Vulnerability Description
SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses` and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used `const`, `let`, and `class` bindings in the top-level scope of a `<script>` tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level `let`, `const`, or `class` bindings in `<script>` tags, or change these to `var` bindings to be reflected on `globalThis`.
Related Weaknesses (CWE)
References
FAQ
What is CVE-2025-32792?
CVE-2025-32792 is a documented vulnerability. SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using `ses`...
How severe is CVE-2025-32792?
CVSS scoring is not yet available for CVE-2025-32792. Check NVD for updates.
Is there a patch for CVE-2025-32792?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.