HighPublic exploit

Happy DOM VM Context Escape RCE

IdentifiersCVE-2025-61927CWE-94· Improper Control of Generation of…

CVE-2025-61927 is a critical remote code execution vulnerability in Happy DOM affecting version 19 and earlier. Happy DOM uses a Node.js VM Context for JavaScript evaluation, but that context is not a true security boundary. When untrusted JavaScript is executed inside the Happy DOM VM Context, an attacker can escape the sandbox and reach process-level functionality. Reported exploitation involves traversing the JavaScript constructor/inheritance chain to obtain the global Function constructor, enabling arbitrary code string evaluation outside the intended isolation boundary. In CommonJS deployments, successful escape can expose the require() function and permit loading of Node.js modules; in ESM contexts, access may still extend to sensitive process-level objects. The issue is exacerbated by the fact that JavaScript evaluation is enabled by default in affected versions.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can result in remote code execution in the Node.js process hosting Happy DOM. Depending on runtime configuration, an attacker may gain access to require(), process, and imported Node.js capabilities, enabling arbitrary command execution, file system access, theft of environment variables, configuration files, and secrets, modification or persistence on the host, and potentially network-based follow-on activity or lateral movement from the compromised application context.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, disable JavaScript evaluation in Happy DOM unless all processed content is fully trusted. Avoid executing untrusted JavaScript or rendering untrusted/user-controlled HTML in environments where script execution is enabled. As an additional hardening measure, run Node.js with the --disallow-code-generation-from-strings flag to block eval()/Function()-style string-based code generation at the process level.

Remediation

Patch, then assume compromise.

Upgrade Happy DOM to version 20.0.0 or later. The patch changes JavaScript evaluation to be disabled by default and adds warnings for potentially insecure enablement scenarios. Any deployment processing untrusted or user-controlled content should prioritize upgrading immediately.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app

thecyberexpress com vulnerabilitiesNews

Oct 14, 2025

Happy DOM Security Flaw (CVE-2025-61927) Enables VM Context Escape and Remote Code Execution

A VM context escape vulnerability in Happy DOM that can allow remote code execution by breaking out of the Node.js VM sandbox through JavaScript constructor inheritance.

security online infoNews

Oct 14, 2025

Daily CyberSecurity •

A critical remote code execution vulnerability in Happy DOM, a library with over 2.7 million weekly downloads.

security online infoNews

Oct 13, 2025

CVE-2025-61927 (CVSS 9.4): Critical RCE Flaw Discovered in Happy DOM, Over 2.7 Million Weekly Downloads Impacted

A critical remote code execution vulnerability in Happy DOM with a CVSS score of 9.4.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2025-61927

NVD

nvd.nist.gov/vuln/detail/CVE-2025-61927

MITRE CWE · CWE-94

Improper Control of Generation of Code ('Code…

github.com

github.com/capricorn86/happy-dom/commit/819d15ba289495439eda8be360d92a614ce22405

github.com

github.com/capricorn86/happy-dom/security/advisories/GHSA-37j7-fg3j-429f