CVE-2025-32792

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2025-32792
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32792.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-32792
Aliases
Published
2025-04-18T16:04:16.778Z
Modified
2026-04-10T05:25:14.438566Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N CVSS Calculator
Summary
ses's global contour bindings leak into Compartment lexical scope
Details

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using ses and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used const, let, and class bindings in the top-level scope of a <script> tag will have inadvertently revealed these bindings in the lexical scope of third-party code. This issue has been patched in version 1.12.0. Workarounds for this issue involve either avoiding top-level let, const, or class bindings in <script> tags, or change these to var bindings to be reflected on globalThis.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/32xxx/CVE-2025-32792.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-497"
    ]
}
References

Affected packages

Git / github.com/endojs/endo

Affected ranges

Type
GIT
Repo
https://github.com/endojs/endo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
9b6784831d37db948cdd61f6da1f3489e8f97906
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.12.0"
        }
    ]
}

Affected versions

@endo/base64@0.*
@endo/base64@0.2.27
@endo/bundle-source@2.*
@endo/bundle-source@2.2.2
@endo/captp@2.*
@endo/captp@2.0.9
@endo/check-bundle@0.*
@endo/check-bundle@0.2.5
@endo/cjs-module-analyzer@0.*
@endo/cjs-module-analyzer@0.2.27
@endo/cli@0.*
@endo/cli@0.1.14
@endo/compartment-mapper@0.*
@endo/compartment-mapper@0.7.7
@endo/daemon@0.*
@endo/daemon@0.1.14
@endo/eslint-config@0.*
@endo/eslint-config@0.5.1
@endo/eslint-plugin@0.*
@endo/eslint-plugin@0.4.1
@endo/eventual-send@0.*
@endo/eventual-send@0.15.5
@endo/far@0.*
@endo/far@0.2.5
@endo/import-bundle@0.*
@endo/import-bundle@0.2.47
@endo/init@0.*
@endo/init@0.5.43
@endo/lockdown@0.*
@endo/lockdown@0.1.15
@endo/lp32@0.*
@endo/lp32@0.3.13
@endo/marshal@0.*
@endo/marshal@0.6.9
@endo/nat@4.*
@endo/nat@4.1.14
@endo/netstring@0.*
@endo/netstring@0.3.13
@endo/promise-kit@0.*
@endo/promise-kit@0.2.43
@endo/ses-ava@0.*
@endo/ses-ava@0.2.27
@endo/static-module-record@0.*
@endo/static-module-record@0.7.6
@endo/stream-node@0.*
@endo/stream-node@0.2.13
@endo/stream-types-test@0.*
@endo/stream-types-test@0.1.24
@endo/stream@0.*
@endo/stream@0.3.12
@endo/syrup@0.*
@endo/syrup@0.1.27
@endo/test262-runner@0.*
@endo/test262-runner@0.1.28
@endo/where@0.*
@endo/where@0.2.9
@endo/zip@0.*
@endo/zip@0.2.27
SES-v0.*
SES-v0.10.0
SES-v0.10.1
SES-v0.10.2
SES-v0.10.3
SES-v0.11.0
SES-v0.11.1
SES-v0.12.3
SES-v0.12.4
SES-v0.7.0
SES-v0.7.1
SES-v0.7.2
SES-v0.7.3
SES-v0.7.4
SES-v0.7.5
SES-v0.7.6
SES-v0.7.7
SES-v0.8.0
SES-v0.9.0
SES-v0.9.1
compartment-mapper-v0.*
compartment-mapper-v0.1.0
compartment-mapper-v0.2.0
compartment-mapper-v0.2.1
compartment-mapper-v0.2.3
harden-v0.*
harden-v0.0.5
harden-v0.0.6
harden-v0.0.7
harden-v0.0.8
harden-v0.1.0
harden-v0.2.0
make-hardener-v0.*
make-hardener-v0.0.7
make-hardener-v0.0.9
make-hardener-v0.1.0
make-hardener-v0.1.2
ses-ava-v0.*
ses-ava-v0.1.0
ses-integration-test@3.*
ses-integration-test@3.0.17
ses-v0.*
ses-v0.12.1
ses-v0.12.2
ses-v0.12.5
ses@0.*
ses@0.15.17
transform-module-v0.*
transform-module-v0.4.0
transform-module-v0.4.1

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-32792.json"