Plattform
nodejs
Komponente
happy-dom
Behoben in
20.0.1
20.0.0
CVE-2025-61927 represents a critical Remote Code Execution (RCE) vulnerability affecting versions 19 and earlier of the Happy DOM JavaScript library. This vulnerability allows attackers to escape the VM Context and gain process-level access, potentially leading to complete system compromise. The vulnerability stems from insufficient isolation within the Node.js VM Context. A fix is available in version 20.0.0.
The impact of CVE-2025-61927 is severe. An attacker who can inject and execute malicious JavaScript code within a Happy DOM context can potentially execute arbitrary code on the host system. The level of control gained depends on whether the process utilizes CommonJS or ESM modules; with CommonJS, the attacker can leverage the require() function for further exploitation. This could lead to data theft, system takeover, and lateral movement within the network. The ability to execute arbitrary code effectively grants the attacker complete control over the affected process.
CVE-2025-61927 was publicly disclosed on 2025-10-10. The vulnerability's nature, allowing for arbitrary code execution, suggests a potentially high exploitation probability. No public proof-of-concept (POC) code has been observed at the time of writing, but the ease of exploitation once a suitable context is found makes active exploitation a concern. The vulnerability is not currently listed on the CISA KEV catalog.
Applications and services utilizing Happy DOM for server-side rendering or testing are at risk. This includes projects that dynamically generate content or execute JavaScript code within a Happy DOM context. Developers using older versions of Happy DOM in their Node.js projects, particularly those handling untrusted user input, are especially vulnerable.
• nodejs / supply-chain:
Get-Process | Where-Object {$_.ProcessName -eq 'node'} | Select-Object -ExpandProperty CommandLine• nodejs / supply-chain:
Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='HappyDOM']]]" -MaxEvents 10• generic web:
curl -I https://your-website.com/ | grep -i 'happy-dom'disclosure
Exploit-Status
EPSS
0.35% (57% Perzentil)
CISA SSVC
The primary mitigation for CVE-2025-61927 is to immediately upgrade to Happy DOM version 20.0.0 or later. If upgrading is not immediately feasible, consider isolating Happy DOM instances within a tightly controlled environment with limited privileges. While not a complete solution, restricting the permissions of the process running Happy DOM can limit the potential damage from a successful exploit. Monitor for unusual process activity and network connections originating from Node.js processes utilizing Happy DOM. There are no specific WAF rules or configuration workarounds available beyond the upgrade.
Actualice la dependencia happy-dom a la versión 20.0.0 o superior. Esto deshabilitará la evaluación de JavaScript por defecto, mitigando el riesgo de ejecución remota de código. Si necesita la funcionalidad de evaluación de JavaScript, asegúrese de validar y desinfectar cuidadosamente cualquier código no confiable antes de ejecutarlo.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-61927 is a critical Remote Code Execution vulnerability in Happy DOM versions 19 and below. It allows attackers to escape the VM Context and execute arbitrary code on the host system.
You are affected if you are using Happy DOM version 19 or earlier. Check your project dependencies to determine if you are using a vulnerable version.
Upgrade to Happy DOM version 20.0.0 or later to mitigate this vulnerability. Ensure your package manager is updated to retrieve the latest version.
While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active campaigns. Continuous monitoring is recommended.
Refer to the Happy DOM project's official repository and release notes for the advisory and further details: [https://github.com/happy-dom/happy-dom](https://github.com/happy-dom/happy-dom)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.