CVE-2025-62410
published 2025-10-15CVE-2025-62410: In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The…
PriorityP349critical9.4CVSS 4.0
AVNACLATNPRLUIPVCHVIHVAHSCHSIHSAHEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.32%
23.5th percentile
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| capricorn86 | happy-dom | >= 19.0.0 < 20.0.2 | 20.0.2 |
CVSS provenance
nvdv4.09.4CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vendor_redhat7.2HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
happy-dom: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
vendor_redhat·2025-10-15·CVSS 7.2
CVE-2025-62410 [HIGH] CWE-1321 happy-dom: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
happy-dom: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.
A sandbox escape in happy-dom allows untrusted JavaScript to run in the same V8 isolate and process as the host application. An attacker can u
OSV
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
osv·2025-10-15
CVE-2025-62410 [CRITICAL] happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
### Summary
The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads.
### Details
The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf).
### PoC
Attackers can pol
GHSA
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
ghsa·2025-10-15
CVE-2025-62410 [CRITICAL] CWE-1321 happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
### Summary
The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads.
### Details
The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf).
### PoC
Attackers can pol
No detection rules found.
No public exploits indexed.
2025-10-15
Published