CVE-2025-61927

Name of the Vulnerable Software and Affected Versions Happy DOM versions 19 and lower

Description Happy DOM, a JavaScript implementation of a web browser without a graphical user interface, contains a security issue that could lead to Remote Code Execution (RCE) attacks. The Node.js VM Context within Happy DOM is not fully isolated. Running untrusted JavaScript code within this context may allow it to escape the VM and gain access to process-level functionality. The extent of control an attacker gains depends on whether the process uses ESM or CommonJS. With CommonJS, an attacker can potentially access the require() function to import modules. JavaScript evaluation is enabled by default in Happy DOM, which may pose a risk if untrusted code is executed within the environment. Approximately 2.7 million weekly downloads are impacted.

Recommendations Upgrade to version 20.0.0 or later, which disables JavaScript evaluation by default.