CVE-2025-61927
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-10-14

Assigner: GitHub, Inc.

Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. Version 20.0.0 patches the issue by changing JavaScript evaluation to be disabled by default.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-10-14
Generated
2026-05-06
AI Q&A
2025-10-10
EPSS Evaluated
2026-05-05
NVD
CVE-2025-61927
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
capricorn86 happy-dom 20.0.0
capricorn86 happy-dom *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

Happy DOM v19 and lower has a security vulnerability where the Node.js VM Context used is not truly isolated. If untrusted JavaScript code is run within this VM Context, it can escape the sandbox and gain access to process-level functionality, potentially allowing remote code execution (RCE). The level of control an attacker gains depends on whether the process uses ESM or CommonJS modules. In CommonJS, the attacker can access the require() function to import modules. This vulnerability exists because JavaScript evaluation is enabled by default, which may not be obvious to users. Version 20.0.0 fixes this by disabling JavaScript evaluation by default.


How can this vulnerability impact me? :

This vulnerability can allow an attacker to execute arbitrary code on the system running Happy DOM if untrusted JavaScript is executed within its VM Context. This can lead to full system compromise, data theft, or other malicious activities depending on the attacker's goals and the environment's configuration.


What immediate steps should I take to mitigate this vulnerability?

Upgrade Happy DOM to version 20.0.0 or later, as this version disables JavaScript evaluation by default, mitigating the risk of Remote Code Execution when running untrusted JavaScript code within the Happy DOM VM Context.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart