CVE-2025-61927: 
JavaScript vulnerability analysis and mitigation

Happy DOM v19 and lower contains a critical security vulnerability (CVE-2025-61927) that exposes systems to Remote Code Execution (RCE) attacks. The vulnerability was discovered and disclosed on October 9, 2025, affecting the JavaScript implementation of a web browser without its graphical user interface. The vulnerability stems from an improperly isolated Node.js VM Context, which allows untrusted JavaScript code to escape the VM and gain access to process-level functionality (GitHub Advisory).

The vulnerability occurs because all classes and functions inherit from Function, allowing attackers to walk the constructor chain to obtain Function at process level. With CommonJS, attackers can gain access to the require() function to import modules. The vulnerability has received a CVSS v4.0 score of 7.2 (HIGH) with vector string CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:H/VA:H/SC:H/SI:H/SA:H. The issue is classified as CWE-94 (Improper Control of Generation of Code) (GitHub Advisory, NVD).

The vulnerability can lead to multiple severe impacts including data exfiltration through access to environment variables and configuration files, lateral movement via network access to internal systems, arbitrary code execution through child process access, and system persistence through file system access. This is particularly concerning for Server-Side Rendering (SSR) implementations and testing frameworks using Happy-DOM with untrusted content (GitHub Advisory).

The vulnerability has been patched in version 20.0.0, which disables JavaScript evaluation by default. Users are recommended to either upgrade to version 20.0.0 or above, or run Node.js with the '--disallow-code-generation-from-strings' flag if JavaScript evaluation needs to be enabled. For users unable to update immediately, it's recommended to disable JavaScript evaluation unless the content within the environment is completely trusted (GitHub Advisory).