CVE-2025-61927: 
JavaScript vulnerability analysis and mitigation

Happy DOM v19 and lower contains a critical Remote Code Execution (RCE) vulnerability (CVE-2025-61927) discovered on October 10, 2025. The vulnerability affects Happy DOM, a JavaScript implementation of a web browser without graphical user interface, which has over 2.7 million weekly downloads. The flaw received a CVSSv4 score of 9.4 (Critical) and allows attackers to escape the Node.js virtual machine (VM) context and execute arbitrary code on the host system (SecurityOnline, NVD).

The vulnerability stems from an improperly isolated Node.js VM Context environment. When untrusted JavaScript code runs within the Happy DOM VM Context, it can escape the VM and access process-level functionality. The attack vector varies depending on the environment: in CommonJS, attackers can obtain the require() function to import modules, while in ESM environments, they can access process-level details. The vulnerability originates from JavaScript's Function inheritance chain, where all classes and functions inherit from Function, which can evaluate code from strings. By traversing the constructor chain, attackers can access Function at the process level and execute arbitrary code (GitHub Advisory).

The vulnerability's impact is severe, particularly affecting server-side rendering (SSR) platforms and testing frameworks that execute untrusted or user-supplied HTML. The potential impacts include data exfiltration (theft of environment variables, configuration files, or API keys), lateral movement (access to internal network resources), code execution (running arbitrary commands via child processes), and persistence (manipulating the local file system for long-term access) (SecurityOnline).

Happy DOM maintainers have released version 20.0.0, which disables JavaScript evaluation by default. Users are recommended to: update to version 20 or later, run Node.js with the --disallow-code-generation-from-strings flag if evaluation must remain enabled (this prevents process-level code generation while allowing safe use of eval() and Function() within the VM), and disable JavaScript evaluation entirely when handling untrusted content (GitHub Advisory).