Improper Control of Generation of Code ('Code Injection')
CVE-2025-61927
Summary
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM versions through v19.0.2 contain a security vulnerability that puts the owner system at risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and gain access to process-level functionality. It seems like what the attacker can get control over depends on whether the process is using ESM or CommonJS. With CommonJS, the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. Version 20.0.0 patches the issue by changing JavaScript evaluation to be disabled by default.
- LOW
- NETWORK
- ACTIVE
- HIGH
CWE-94 - Code Injection
Code injection is a type of vulnerability that allows an attacker to execute arbitrary code. This vulnerability fully compromises the machine and can cause a wide variety of security issues, such as unauthorized access to sensitive information, manipulation of data, denial of service attacks etc. Code injection is different from command injection in the fact that it is limited by the functionality of the injected language (e.g. PHP), as opposed to command injection, which leverages existing code to execute commands, usually within the context of a shell.
References
Advisory Timeline
- Published
