CVE-2025-32792

Name of the Vulnerable Software and Affected Versions SES versions prior to 1.12.0

Description The issue arises when using the SES and Compartment API to evaluate third-party code in an isolated environment. In versions prior to 1.12.0, top-level let, const, and class bindings in <script> tags are inadvertently revealed in the lexical scope of third-party code. This is due to the way these bindings are handled in the global scope.

Recommendations For versions prior to 1.12.0, consider updating to version 1.12.0 to resolve the issue. As a temporary workaround, avoid using top-level let, const, or class bindings in <script> tags. Alternatively, change top-level let, const, or class bindings to var bindings to prevent them from being reflected on globalThis.