CVE-2025-62410

Name of the Vulnerable Software and Affected Versions happy-dom versions prior to 20.0.2

Description The software does not sufficiently isolate untrusted JavaScript, even when using the --disallow-code-generation-from-strings flag. The untrusted script and the main application share the same Isolate/process, allowing attackers to use prototype pollution to hijack references, such as process, or manipulate control flow by altering checks for undefined properties. This is an incomplete fix for a previously identified issue.

Recommendations Update to version 20.0.2 or later.