CVE-2025-32792 is a vulnerability in the endojs project's 'endo' product, specifically affecting versions prior to 1.12.0. The endo library leverages SES (Secure EcmaScript) to safely execute third-party JavaScript code in isolated compartments, restricting the code's authority and preventing it from accessing or modifying sensitive global state. However, this vulnerability arises when web pages or web extensions use the 'ses' and Compartment API to evaluate third-party code in an isolated environment, while simultaneously employing 'const', 'let', or 'class' declarations at the top-level scope within <script> tags elsewhere on the same page or extension. Due to the way lexical scoping and bindings are handled, these top-level bindings are inadvertently exposed to the lexical scope of the third-party code running inside the SES compartment. This exposure means that sensitive system information or application state, which should be encapsulated and inaccessible, can be read by untrusted third-party scripts. This undermines the core security guarantees of SES compartments, potentially allowing malicious code to glean sensitive data or infer application internals. The issue was addressed and patched in version 1.12.0 of endo. Workarounds prior to patching include avoiding the use of top-level 'let', 'const', or 'class' bindings in <script> tags or replacing them with 'var' declarations, which are reflected on the globalThis object and thus do not leak into the compartment's lexical scope. No known exploits have been reported in the wild as of the publication date, but the vulnerability represents a subtle and non-obvious information exposure risk in environments relying on SES for secure code evaluation.

For European organizations, the impact of this vulnerability can be significant, especially for those developing or deploying web applications, browser extensions, or platforms that rely on SES and the endo library to sandbox third-party JavaScript code. The unintended exposure of sensitive bindings could lead to leakage of confidential information such as application secrets, user data, or internal state variables. This information disclosure could facilitate further attacks, including privilege escalation, data exfiltration, or targeted exploitation of other vulnerabilities. Organizations in sectors with strict data protection requirements (e.g., finance, healthcare, government) could face compliance risks if sensitive data is exposed. Moreover, since SES is used to enforce strict isolation, the breach of this isolation boundary undermines trust in the security model, potentially affecting supply chain security where third-party scripts are evaluated. Although no active exploits are known, the vulnerability's presence in widely used JavaScript sandboxing tools means that attackers could develop exploits, especially in environments where top-level lexical bindings are common. The impact is compounded in complex web applications and browser extensions prevalent in European markets, where third-party code evaluation is routine.

To mitigate this vulnerability, European organizations should: 1) Immediately upgrade all endojs 'endo' library dependencies to version 1.12.0 or later, where the vulnerability is patched. 2) Audit existing web pages and browser extensions to identify usage of top-level 'let', 'const', or 'class' bindings within <script> tags that coexist with SES compartment usage. Refactor these bindings to 'var' declarations or move them into function scopes to prevent leakage. 3) Implement static code analysis or automated scanning tools to detect risky lexical bindings in scripts that interact with SES compartments. 4) Review and harden the compartment initialization code to ensure no unintended global or lexical scope leakage occurs. 5) Educate development teams about the nuances of JavaScript scoping and SES compartment isolation to avoid similar issues in future code. 6) Monitor security advisories for any emerging exploits targeting this vulnerability and prepare incident response plans accordingly. 7) For organizations unable to upgrade immediately, consider isolating third-party code evaluation environments or employing additional runtime monitoring to detect anomalous access patterns.