"A critical security flaw has been identified in Happy DOM, a widely used JavaScript library primarily employed for server-side rendering and testing frameworks. The vulnerability, cataloged as CVE-2025-61927, allows attackers to escape the library's virtual machine (VM) context, leading to potential remote code execution on vulnerable systems. This flaw threatens millions of applications that depend on Happy DOM. The root of this vulnerability lies in the improper isolation of the Node.js VM context within Happy DOM versions 19 and earlier."
"The attack differs depending on the module system in use: CommonJS or ECMAScript modules (ESM). Systems running CommonJS are particularly exposed, as attackers can access the require() function, enabling them to import and execute additional modules, increasing the attack surface. In contrast, ESM environments limit access to import or require, reducing some capabilities but still allowing process-level information retrieval. Scope and Impact"
The vulnerability CVE-2025-61927 enables escape from Happy DOM's Node.js VM context, allowing potential remote code execution on vulnerable systems. Improper isolation in Happy DOM versions 19 and earlier permits malicious JavaScript to traverse constructor inheritance and reach global Function execution at the process level. The exploit leverages walking up the constructor chain from context objects to bypass VM safeguards. Exploits differ by module system: CommonJS environments can access require() to import and execute additional modules, while ESM environments restrict import/require but still allow process-level information retrieval. Happy DOM is widely used for SSR and testing, impacting roughly 2.7 million users.
Read at The Cyber Express
Unable to calculate read time
Collection
[
|
...
]