CRITICALCVE-2025-61927CVSS 9.5

CVE-2025-61927: RCE in Happy DOM Node.js Library

Q: What is CVE-2025-61927 — RCE in Happy DOM Node.js Library?

CVE-2025-61927 is a critical Remote Code Execution vulnerability in Happy DOM versions 19 and below. It allows attackers to escape the VM Context and execute arbitrary code on the host system.

Q: Am I affected by CVE-2025-61927 in Happy DOM Node.js Library?

You are affected if you are using Happy DOM version 19 or earlier. Check your project dependencies to determine if you are using a vulnerable version.

Q: How do I fix CVE-2025-61927 in Happy DOM Node.js Library?

Upgrade to Happy DOM version 20.0.0 or later to mitigate this vulnerability. Ensure your package manager is updated to retrieve the latest version.

Q: Is CVE-2025-61927 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active campaigns. Continuous monitoring is recommended.

Q: Where can I find the official Happy DOM advisory for CVE-2025-61927?

Refer to the Happy DOM project's official repository and release notes for the advisory and further details: [https://github.com/happy-dom/happy-dom](https://github.com/happy-dom/happy-dom)

Platform

nodejs

Component

happy-dom

Fixed in

20.0.1

20.0.0

AI Confidence: highNVDEPSS 0.4%Reviewed: May 2026

View on NVD

Save

CVE-2025-61927 represents a critical Remote Code Execution (RCE) vulnerability affecting versions 19 and earlier of the Happy DOM JavaScript library. This vulnerability allows attackers to escape the VM Context and gain process-level access, potentially leading to complete system compromise. The vulnerability stems from insufficient isolation within the Node.js VM Context. A fix is available in version 20.0.0.

Impact and Attack Scenarios

The impact of CVE-2025-61927 is severe. An attacker who can inject and execute malicious JavaScript code within a Happy DOM context can potentially execute arbitrary code on the host system. The level of control gained depends on whether the process utilizes CommonJS or ESM modules; with CommonJS, the attacker can leverage the require() function for further exploitation. This could lead to data theft, system takeover, and lateral movement within the network. The ability to execute arbitrary code effectively grants the attacker complete control over the affected process.

Exploitation Context

CVE-2025-61927 was publicly disclosed on 2025-10-10. The vulnerability's nature, allowing for arbitrary code execution, suggests a potentially high exploitation probability. No public proof-of-concept (POC) code has been observed at the time of writing, but the ease of exploitation once a suitable context is found makes active exploitation a concern. The vulnerability is not currently listed on the CISA KEV catalog.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

EPSS

0.35% (57% percentile)

CISA SSVC

Exploitationpoc

Automatableno

Technical Impactpartial

Affected Software

Componenthappy-dom

Vendorosv

Affected rangeFixed in

< 20.0.0 – < 20.0.020.0.1

—20.0.0

Package Information

Last updated: 20.9.0recently

Weakness Classification (CWE)

CWE-94

Timeline

Reserved2025-10-03
Published2025-10-10
Modified2025-10-13
EPSS updated2026-03-23

Patched 0 days after disclosure

Mitigation and Workarounds

The primary mitigation for CVE-2025-61927 is to immediately upgrade to Happy DOM version 20.0.0 or later. If upgrading is not immediately feasible, consider isolating Happy DOM instances within a tightly controlled environment with limited privileges. While not a complete solution, restricting the permissions of the process running Happy DOM can limit the potential damage from a successful exploit. Monitor for unusual process activity and network connections originating from Node.js processes utilizing Happy DOM. There are no specific WAF rules or configuration workarounds available beyond the upgrade.

How to fix

Actualice la dependencia happy-dom a la versión 20.0.0 o superior. Esto deshabilitará la evaluación de JavaScript por defecto, mitigando el riesgo de ejecución remota de código. Si necesita la funcionalidad de evaluación de JavaScript, asegúrese de validar y desinfectar cuidadosamente cualquier código no confiable antes de ejecutarlo.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2025-61927 — RCE in Happy DOM Node.js Library?

CVE-2025-61927 is a critical Remote Code Execution vulnerability in Happy DOM versions 19 and below. It allows attackers to escape the VM Context and execute arbitrary code on the host system.

Am I affected by CVE-2025-61927 in Happy DOM Node.js Library?

You are affected if you are using Happy DOM version 19 or earlier. Check your project dependencies to determine if you are using a vulnerable version.

How do I fix CVE-2025-61927 in Happy DOM Node.js Library?

Upgrade to Happy DOM version 20.0.0 or later to mitigate this vulnerability. Ensure your package manager is updated to retrieve the latest version.

Is CVE-2025-61927 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active campaigns. Continuous monitoring is recommended.

Where can I find the official Happy DOM advisory for CVE-2025-61927?

Refer to the Happy DOM project's official repository and release notes for the advisory and further details: [https://github.com/happy-dom/happy-dom](https://github.com/happy-dom/happy-dom)

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan free Search CVEs