CVE-2025-61927 Overview
CVE-2025-61927 affects Happy DOM, a JavaScript implementation of a web browser without a graphical user interface. Happy DOM versions 19 and lower expose consumers to remote code execution when untrusted JavaScript runs inside the library's VM Context. A Node.js VM Context is not an isolated sandbox, so attacker-controlled code can break out and reach process-level functionality. With CommonJS, attackers can obtain the require() function and import arbitrary modules. The risk is amplified because Happy DOM enables JavaScript evaluation by default, a behavior that may not be obvious to integrators. Version 20.0.0 patches the issue by disabling JavaScript evaluation by default.
Critical Impact
Untrusted JavaScript executed within Happy DOM can escape the VM Context and achieve remote code execution on the host process.
Affected Products
- Happy DOM versions 19 and lower
- Node.js applications embedding Happy DOM with default configuration
- Server-side rendering pipelines that evaluate untrusted client-side JavaScript
Discovery Timeline
- 2025-10-10 - CVE-2025-61927 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-61927
Vulnerability Analysis
The vulnerability is classified as Code Injection [CWE-94]. Happy DOM relies on Node.js vm module contexts to execute page-level JavaScript during DOM simulation. Node.js documentation explicitly states that vm contexts are not a security boundary. When Happy DOM evaluates untrusted scripts inside this context, the attacker can traverse object prototypes and constructor chains to reach the outer Node.js runtime.
Once outside the VM, the attacker gains access to process-level APIs. In CommonJS environments, the attacker can resolve the require() function and load modules such as child_process to spawn arbitrary commands. In ESM environments, available primitives differ but still permit access to host functionality.
Root Cause
The root cause is twofold. First, Happy DOM uses Node.js VM contexts as if they were security sandboxes, which they are not. Second, the enableJavaScriptEvaluation setting defaulted to true, so any consumer that processed untrusted HTML implicitly opted into script execution without explicit acknowledgement.
Attack Vector
An attacker supplies HTML or JavaScript that Happy DOM parses and evaluates. The script uses constructor traversal to escape the VM and invoke require('child_process').execSync() or equivalent module loads. Exploitation requires the application to feed attacker-controlled content into Happy DOM with evaluation enabled.
// Patch in packages/@happy-dom/server-renderer/src/ServerRenderer.ts
// Adds --disallow-code-generation-from-strings to worker execArgv
return;
}
const worker = new Worker(new URL('ServerRendererWorker.js', import.meta.url), {
+ execArgv: ['--disallow-code-generation-from-strings'],
workerData: {
configuration: configuration
}
Source: GitHub Commit 819d15b
Detection Methods for CVE-2025-61927
Indicators of Compromise
- Unexpected child processes spawned by Node.js workers hosting Happy DOM, including sh, bash, cmd.exe, or powershell.exe
- Outbound network connections initiated by server-side rendering processes to unfamiliar hosts
- File writes or module loads originating from node_modules/happy-dom worker threads
- Use of require('child_process'), require('fs'), or require('net') triggered during DOM parsing
Detection Strategies
- Inventory Node.js services and identify those depending on happy-dom at versions 19 or lower via package-lock.json or npm ls happy-dom
- Inspect application code for usage of Happy DOM with enableJavaScriptEvaluation: true against untrusted input
- Monitor process trees for Node.js workers spawning shells or interpreters during HTML rendering operations
Monitoring Recommendations
- Alert on creation of child processes by Node.js server-rendering workers, which should not occur during normal DOM evaluation
- Track egress connections from rendering services and baseline expected destinations
- Forward Node.js process telemetry to a centralized analytics platform for behavioral correlation
How to Mitigate CVE-2025-61927
Immediate Actions Required
- Upgrade Happy DOM to version 20.0.0 or later, where JavaScript evaluation is disabled by default
- Audit application code for any explicit enableJavaScriptEvaluation: true settings and remove them unless evaluating fully trusted input
- Run Happy DOM workers with --disallow-code-generation-from-strings to harden the V8 isolate
- Treat any HTML or script content from external sources as untrusted and never pass it directly to Happy DOM with evaluation enabled
Patch Information
The fix is delivered in Happy DOM 20.0.0. The commit 819d15ba289495439eda8be360d92a614ce22405 changes the default configuration so enableJavaScriptEvaluation must be explicitly enabled. Workers used by @happy-dom/server-renderer are launched with execArgv: ['--disallow-code-generation-from-strings'] to prevent dynamic code generation from escaping the VM context. See the GitHub Security Advisory GHSA-37j7-fg3j-429f for the full advisory.
Workarounds
- If upgrading immediately is not possible, set enableJavaScriptEvaluation: false in Happy DOM configuration
- Isolate rendering workloads in containers with minimal privileges, read-only file systems, and restricted egress
- Avoid passing attacker-controlled HTML to Happy DOM until the upgrade is complete
# Upgrade Happy DOM to a patched release
npm install happy-dom@^20.0.0
# Launch Node.js workers with code generation disabled
node --disallow-code-generation-from-strings server.js
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
