CVE-2025-62410
BaseFortify
Publication date: 2025-10-15
Last updated on: 2025-10-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| capricorn86 | happy-dom | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in versions before 20.0.2 of happy-dom where the option --disallow-code-generation-from-strings does not fully isolate untrusted JavaScript. Both the untrusted script and the rest of the application run in the same process, allowing attackers to use prototype pollution payloads to hijack important references like "process" or manipulate control flow by altering checks of undefined properties. It is an incomplete fix of a previous vulnerability (CVE-2025-61927) and is fixed in version 20.0.2.
How can this vulnerability impact me? :
This vulnerability can allow attackers to hijack important references and control flow within the application by exploiting prototype pollution. This can lead to unauthorized access, manipulation of application behavior, and potentially executing malicious actions within the same process as the application, posing a high security risk.
What immediate steps should I take to mitigate this vulnerability?
Upgrade happy-dom to version 20.0.2 or later, as this version contains the fix for the vulnerability. Avoid relying solely on the --disallow-code-generation-from-strings flag for isolation of untrusted JavaScript.