CVE-2025-62410: 
JavaScript vulnerability analysis and mitigation

CVE-2025-62410 affects happy-dom versions before 20.0.2, where the --disallow-code-generation-from-strings flag is insufficient for isolating untrusted JavaScript. This vulnerability, discovered on October 15, 2025, is an incomplete fix for CVE-2025-61927. The core issue lies in the fact that untrusted scripts and the main application share the same Isolate/process, enabling attackers to deploy prototype pollution payloads (GitHub Advisory, NVD).

The vulnerability stems from incomplete sandboxing where disabling dynamic code generation only blocks eval and Function but does not isolate execution contexts. Both trusted and untrusted scripts share prototypes in one isolate, allowing attackers to pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime. The vulnerability has received a CVSS 4.0 Base Score of 9.4 (CRITICAL) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H (Red Hat).

The vulnerability enables arbitrary code execution by breaking out of the Node.js' vm isolation. Attackers can hijack important references like 'process' and execute arbitrary commands through prototype pollution payloads. Even without prototype pollution capabilities, untrusted code can still retrieve and exfiltrate information available in the global scope via fetch() (GitHub Advisory, Miggo).

The vulnerability is fixed in version 20.0.2. As a temporary workaround, users can freeze the builtins in the global scope to defend against prototype pollution attacks. However, this is not a complete solution as untrusted code may still access and exfiltrate global scope information. The recommended long-term solution is migrating to isolated-vm (GitHub Advisory).