CVE-2025-62410 CRITICAL

CVE-2025-62410: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom

Vendor Capricorn86

Product happy-dom

Weakness CWE-1321

Published October 15, 2025

Last update October 15, 2025

View on NVD All CVEs

CVSS base score

9.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

What the vulnerability does

Description

In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.

Key dates

Disclosure timeline

October 15, 2025 CVE published

October 15, 2025 Record updated