CVE-2025-61927
VM Context Escape vulnerability in happy-dom (npm)
What is CVE-2025-61927 About?
Happy DOM versions 19 and lower are vulnerable to a VM context escape, allowing untrusted JavaScript code to access process-level functionality in Node.js. This critical flaw enables Remote Code Execution (RCE) attacks by breaking out of the VM's isolation. Exploitation is relatively easy if an attacker can execute untrusted JavaScript within the Happy DOM environment, as it leverages fundamental JavaScript mechanisms.
Affected Software
Technical Details
The vulnerability in Happy DOM v19 and lower allows untrusted JavaScript code running within the VM context to escape its confines and access the underlying Node.js process. This is possible because the Node.js VM Context is not perfectly isolated, and attackers can leverage the JavaScript constructor chain. By repeatedly accessing this.constructor.constructor, an attacker can retrieve a reference to the global Function constructor at the process level. Since Function can evaluate strings as code, an attacker can then execute arbitrary JavaScript with the full privileges of the Node.js process, gaining access to process.mainModule.require (in CommonJS) or process.pid (in ESM) and other system functions, leading to RCE, data exfiltration, or lateral movement. The default enabled JavaScript evaluation in Happy DOM exacerbates the risk.
What is the Impact of CVE-2025-61927?
Successful exploitation may allow attackers to execute arbitrary code with process-level privileges, gain full control over the host system, access sensitive data, or perform unauthorized network operations.
What is the Exploitability of CVE-2025-61927?
Exploitation requires the ability to execute untrusted JavaScript code within the Happy DOM VM context. This is typically a remote attack vector if the application processes user-supplied content that includes JavaScript (e.g., in Server-Side Rendering or testing frameworks). No specific authentication is required at the VM level once code execution is achieved, but the ability to inject the malicious script into the Happy DOM environment might require prior access or bypassing input validation. The complexity is low to medium, relying on basic JavaScript constructor chaining. The risk is significantly increased in applications that pass untrusted HTML/JavaScript content to Happy DOM or have JavaScript evaluation enabled by default without proper sandboxing or the Node.js --disallow-code-generation-from-strings flag.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-61927?
Available Upgrade Options
- happy-dom
- <20.0.0 → Upgrade to 20.0.0
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/capricorn86/happy-dom/commit/819d15ba289495439eda8be360d92a614ce22405
- https://github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f
- https://github.com/capricorn86/happy-dom/releases/tag/v20.0.0
- https://github.com/capricorn86/happy-dom
- https://github.com/capricorn86/happy-dom/commit/de438ad72921c69793584aa657b48d3655dfac97
- https://github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f
- https://osv.dev/vulnerability/GHSA-37j7-fg3j-429f
- https://github.com/capricorn86/happy-dom/commit/819d15ba289495439eda8be360d92a614ce22405
- https://nvd.nist.gov/vuln/detail/CVE-2025-61927
What are Similar Vulnerabilities to CVE-2025-61927?
Similar Vulnerabilities: CVE-2022-26279 , CVE-2022-26280 , CVE-2021-23395 , CVE-2021-23398 , CVE-2021-23424
