CVE-2025-61927
published 2025-10-10CVE-2025-61927: Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that…
PriorityP347high7.2CVSS 4.0
AVNACLATPPRHUIAVCLVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.60%
44.2th percentile
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. Version 20.0.0 patches the issue by changing JavaScript evaluation to be disabled by default.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| capricorn86 | happy-dom | < 20.0.2 | 20.0.2 |
| capricorn86 | happy-dom | >= 0 < 20.0.0 | 20.0.0 |
| capricorn86 | happy-dom | >= 15.10.0 < 20.8.8 | 20.8.8 |
CVSS provenance
nvdv4.07.2HIGHCVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
ghsa·2026-03-26
CVE-2026-33943 [HIGH] CWE-94 Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
### Summary
A code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.
### Details
**Vulnerable file**: `packages/happy-dom/src/module/ECMAScriptModuleCompiler.ts`, lines 371-385
The "Export object" handler extracts content from `export { ... }` using the regex `export\s*{([^}]+)}`, then generates
OSV
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
osv·2026-03-26
CVE-2026-33943 [HIGH] Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
### Summary
A code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.
### Details
**Vulnerable file**: `packages/happy-dom/src/module/ECMAScriptModuleCompiler.ts`, lines 371-385
The "Export object" handler extracts content from `export { ... }` using the regex `export\s*{([^}]+)}`, then generates
GHSA
Happy DOM: VM Context Escape can lead to Remote Code Execution
ghsa·2025-10-10
CVE-2025-61927 [CRITICAL] CWE-94 Happy DOM: VM Context Escape can lead to Remote Code Execution
Happy DOM: VM Context Escape can lead to Remote Code Execution
# Escape of VM Context gives access to process level functionality
## Summary
Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks.
A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality.
It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules.
Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potenti
OSV
Happy DOM: VM Context Escape can lead to Remote Code Execution
osv·2025-10-10
CVE-2025-61927 [CRITICAL] Happy DOM: VM Context Escape can lead to Remote Code Execution
Happy DOM: VM Context Escape can lead to Remote Code Execution
# Escape of VM Context gives access to process level functionality
## Summary
Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks.
A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality.
It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules.
Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potenti
Red Hat
happy-dom: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
vendor_redhat·2025-10-15·CVSS 7.2
CVE-2025-62410 [HIGH] CWE-1321 happy-dom: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
happy-dom: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.
A sandbox escape in happy-dom allows untrusted JavaScript to run in the same V8 isolate and process as the host application. An attacker can u
Red Hat
happy-dom: Happy-DOM VM Context Escape
vendor_redhat·2025-10-10·CVSS 7.2
CVE-2025-61927 [HIGH] CWE-94 happy-dom: Happy-DOM VM Context Escape
happy-dom: Happy-DOM VM Context Escape
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put t
No detection rules found.
No public exploits indexed.
2025-10-10
Published