CRITICALCVE-2025-61927CVSS 9.5

Happy DOM: VM Context Escape can lead to Remote Code Execution

Q: What is CVE-2025-61927 — RCE in Happy DOM Node.js Library?

CVE-2025-61927 is a critical Remote Code Execution vulnerability in Happy DOM versions 19 and below. It allows attackers to escape the VM Context and execute arbitrary code on the host system.

Q: Am I affected by CVE-2025-61927 in Happy DOM Node.js Library?

You are affected if you are using Happy DOM version 19 or earlier. Check your project dependencies to determine if you are using a vulnerable version.

Q: How do I fix CVE-2025-61927 in Happy DOM Node.js Library?

Upgrade to Happy DOM version 20.0.0 or later to mitigate this vulnerability. Ensure your package manager is updated to retrieve the latest version.

Q: Is CVE-2025-61927 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active campaigns. Continuous monitoring is recommended.

Q: Where can I find the official Happy DOM advisory for CVE-2025-61927?

Refer to the Happy DOM project's official repository and release notes for the advisory and further details: [https://github.com/happy-dom/happy-dom](https://github.com/happy-dom/happy-dom)

翻译中…

平台

nodejs

组件

happy-dom

修复版本

20.0.1

20.0.0

AI Confidence: highNVDEPSS 0.4%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2025-61927 represents a critical Remote Code Execution (RCE) vulnerability affecting versions 19 and earlier of the Happy DOM JavaScript library. This vulnerability allows attackers to escape the VM Context and gain process-level access, potentially leading to complete system compromise. The vulnerability stems from insufficient isolation within the Node.js VM Context. A fix is available in version 20.0.0.

影响与攻击场景翻译中…

The impact of CVE-2025-61927 is severe. An attacker who can inject and execute malicious JavaScript code within a Happy DOM context can potentially execute arbitrary code on the host system. The level of control gained depends on whether the process utilizes CommonJS or ESM modules; with CommonJS, the attacker can leverage the require() function for further exploitation. This could lead to data theft, system takeover, and lateral movement within the network. The ability to execute arbitrary code effectively grants the attacker complete control over the affected process.

利用背景翻译中…

CVE-2025-61927 was publicly disclosed on 2025-10-10. The vulnerability's nature, allowing for arbitrary code execution, suggests a potentially high exploitation probability. No public proof-of-concept (POC) code has been observed at the time of writing, but the ease of exploitation once a suitable context is found makes active exploitation a concern. The vulnerability is not currently listed on the CISA KEV catalog.

哪些人处于风险中翻译中…

Applications and services utilizing Happy DOM for server-side rendering or testing are at risk. This includes projects that dynamically generate content or execute JavaScript code within a Happy DOM context. Developers using older versions of Happy DOM in their Node.js projects, particularly those handling untrusted user input, are especially vulnerable.

检测步骤翻译中…

• nodejs / supply-chain:

Get-Process | Where-Object {$_.ProcessName -eq 'node'} | Select-Object -ExpandProperty CommandLine

• nodejs / supply-chain:

Get-WinEvent -LogName Application -FilterXPath "*[System[Provider[@Name='HappyDOM']]]" -MaxEvents 10

• generic web:

curl -I https://your-website.com/ | grep -i 'happy-dom'

攻击时间线

2025-10-10Disclosure
disclosure

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

EPSS

0.35% (57% 百分位)

CISA SSVC

利用情况poc

可自动化no

技术影响partial

受影响的软件

组件happy-dom

供应商osv

影响范围修复版本

< 20.0.0 – < 20.0.020.0.1

—20.0.0

软件包信息

最后更新: 20.9.0最近

弱点分类 (CWE)

CWE-94

时间线

已保留2025-10-03
发布日期2025-10-10
修改日期2025-10-13
EPSS 更新日期2026-03-23

披露后0天发布补丁

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-61927 is to immediately upgrade to Happy DOM version 20.0.0 or later. If upgrading is not immediately feasible, consider isolating Happy DOM instances within a tightly controlled environment with limited privileges. While not a complete solution, restricting the permissions of the process running Happy DOM can limit the potential damage from a successful exploit. Monitor for unusual process activity and network connections originating from Node.js processes utilizing Happy DOM. There are no specific WAF rules or configuration workarounds available beyond the upgrade.

修复方法翻译中…

Actualice la dependencia happy-dom a la versión 20.0.0 o superior. Esto deshabilitará la evaluación de JavaScript por defecto, mitigando el riesgo de ejecución remota de código. Si necesita la funcionalidad de evaluación de JavaScript, asegúrese de validar y desinfectar cuidadosamente cualquier código no confiable antes de ejecutarlo.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-61927 — RCE in Happy DOM Node.js Library?

CVE-2025-61927 is a critical Remote Code Execution vulnerability in Happy DOM versions 19 and below. It allows attackers to escape the VM Context and execute arbitrary code on the host system.

Am I affected by CVE-2025-61927 in Happy DOM Node.js Library?

You are affected if you are using Happy DOM version 19 or earlier. Check your project dependencies to determine if you are using a vulnerable version.

How do I fix CVE-2025-61927 in Happy DOM Node.js Library?

Upgrade to Happy DOM version 20.0.0 or later to mitigate this vulnerability. Ensure your package manager is updated to retrieve the latest version.

Is CVE-2025-61927 being actively exploited?

While no active exploitation has been confirmed, the vulnerability's severity and ease of exploitation suggest a potential for active campaigns. Continuous monitoring is recommended.

Where can I find the official Happy DOM advisory for CVE-2025-61927?

Refer to the Happy DOM project's official repository and release notes for the advisory and further details: [https://github.com/happy-dom/happy-dom](https://github.com/happy-dom/happy-dom)

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE