A critical security vulnerability has been discovered in Happy DOM, a popular JavaScript library used for server-side rendering and testing frameworks.
The flaw, tracked as CVE-2025-61927, enables attackers to escape the virtual machine context and execute arbitrary code on affected systems, potentially compromising millions of applications worldwide.
Critical VM Context Escape Vulnerability
Happy DOM versions 19 and below contain a severe security weakness that allows malicious JavaScript code to break out of the intended sandbox environment.
The vulnerability stems from improper isolation of the Node.js VM context, which was designed to provide a secure execution environment for untrusted code.
| CVE ID | Product | Severity | CVSS Score | Affected Versions | Patched Version |
| CVE-2025-61927 | Happy DOM | Critical | 10.0 (CVSS v4) | < 20 | 20+ |
Security researcher Mas0nShi discovered that attackers can exploit the constructor chain inheritance from the Function class to gain access to process-level functionality.
The attack technique involves walking up the constructor chain to reach the global Function constructor, which can then evaluate code strings at the process level rather than within the isolated VM context.
This escape mechanism works differently depending on whether the target system uses CommonJS or ECMAScript modules, with CommonJS environments being particularly vulnerable as attackers can obtain access to the require() function for importing additional modules.
The vulnerability affects approximately 2.7 million users who rely on Happy DOM for server-side rendering applications and testing frameworks.
Applications at highest risk include those that process user-controlled HTML content through Happy DOM, particularly in server-side rendering scenarios where untrusted content is dynamically rendered.
The security flaw also poses significant risks to testing environments that execute untrusted JavaScript code within Happy DOM contexts.
Successful exploitation enables attackers to perform data exfiltration by accessing environment variables and configuration files, achieve lateral movement through network connections, execute arbitrary commands via child processes, and establish persistence through file system access.
The vulnerability receives a maximum CVSS v4 score of 10.0, indicating critical severity with high impact across confidentiality, integrity, and availability.
Happy DOM maintainer, Ortner IT Solutions AB has released version 20 to address the security flaw, implementing JavaScript evaluation disabled by default and adding security warnings for potentially unsafe configurations.
Organisations using affected versions should immediately upgrade to Happy DOM v20 or later to eliminate the vulnerability.
For environments requiring JavaScript evaluation, administrators should implement the “–disallow-code-generation-from-strings” Node.js flag to prevent code evaluation at the process level.
Users unable to upgrade immediately should disable JavaScript evaluation within Happy DOM unless the executed content is completely trusted.
The patched version includes enhanced security measures and warns users about potential risks when JavaScript evaluation is enabled in insecure environments, providing better protection against similar VM escape attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
