Happy DOM: VM Context Escape can lead to Remote Code Execution

Description

No description available.

Recommendation

Update the happy-dom package to the latest compatible version. Followings are version details:

• Affected version(s): < 20.0.0
• Patched version(s): 20.0.0

References

• GHSA-37j7-fg3j-429f
• CVE-2025-61927
• CWE-94
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript - CVE-2025-62410
• Improper Verification of Cryptographic Signature in node-forge - CVE-2022-24772
• Remote Code Execution on click of <a> Link in markdown preview - CVE-2024-49362
• happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757

Tags:

npm

happy-dom