CVE-2025-62410: 
JavaScript vulnerability analysis and mitigation

A critical vulnerability (CVE-2025-62410) was discovered in happy-dom versions before 20.0.2, related to insufficient isolation of untrusted JavaScript code. The vulnerability was disclosed on October 15, 2025, and affects the security mechanism intended to isolate untrusted JavaScript code. This vulnerability is particularly concerning as it represents an incomplete fix for a previous vulnerability (CVE-2025-61927) (GitHub Advisory).

The vulnerability stems from the --disallow-code-generation-from-strings flag not providing sufficient isolation for untrusted JavaScript in happy-dom. The core issue is that untrusted scripts and the main application continue to run in the same Isolate/process, enabling attackers to deploy prototype pollution payloads. The vulnerability has received a CVSS 4.0 Base Score of 9.4 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (NVD).

The vulnerability can lead to arbitrary code execution by breaking out of Node.js' vm isolation. Attackers can pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime, such as the 'process' object, potentially enabling arbitrary command execution. Additionally, attackers might be able to retrieve and exfiltrate information available in the global scope via fetch(), even without prototype pollution capabilities (GitHub Advisory).

The vulnerability has been patched in version 20.0.2 of happy-dom. For users unable to update immediately, it is recommended to freeze the builtins in the global scope to defend against prototype pollution attacks. However, this may not fully mitigate all attack vectors, and migration to isolated-vm is strongly recommended for a more comprehensive security solution (GitHub Advisory).