happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
- Severity:
- High
Description
The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads.
Recommendation
Update the happy-dom package to the latest compatible version. Followings are version details:
- Affected version(s): >= 19.0.0, < 20.0.2
- Patched version(s): 20.0.2
References
Related Issues
- Happy DOM: VM Context Escape can lead to Remote Code Execution - CVE-2025-61927
- Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code - CVE-2026-33943
- happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757
- vue-i18n's escapeParameterHtml does not prevent DOM-based XSS through its tag attributes - CVE-2025-53892
- Tags:
- npm
- happy-dom
Anything's wrong? Let us know Last updated on November 27, 2025