A significant security vulnerability has been discovered in Happy DOM, a popular JavaScript library, which allows attackers to escape the VM sandbox and execute arbitrary code. This flaw affects millions of applications using Happy DOM versions 19 and earlier, especially in server-side rendering and testing environments. #HappyDOM #CVE-2025-61927
Keypoints
- A critical flaw in Happy DOM versions 19 and earlier enables VM context escape, risking remote code execution.
- The vulnerability exploits inheritance chains and JavaScript constructor inheritance to break sandbox containment.
- Systems using CommonJS are more vulnerable due to access to the require() function, increasing attack surface.
- Impact includes data exfiltration, lateral movement, code execution, and persistent malware on affected systems.
- Upgrading to Happy DOM version 20 or disabling JavaScript evaluation mitigates the vulnerability effectively.
Read More: https://thecyberexpress.com/critical-cve-2025-61927-vm-context-escape/