happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
- Severity:
- High
Description
The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads.
Recommendation
Update the happy-dom package to the latest compatible version. Followings are version details:
- Affected version(s): >= 19.0.0, < 20.0.2
- Patched version(s): 20.0.2
References
Related Issues
- Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect - CVE-2024-30261
- happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757
- Saltcorn Server allows logged-in users to delete arbitrary files because of a path traversal vulnerability - CVE-2024-47818
- Happy DOM: VM Context Escape can lead to Remote Code Execution - CVE-2025-61927
- Tags:
- npm
- happy-dom
Anything's wrong? Let us know Last updated on November 27, 2025