Critical VM Escape vulnerability reported in Happy DOM
Take action: If you're using Happy DOM, plan a quick update to version 20 or later which disables JavaScript evaluation by default. If you can't upgrade right away, manually disable JavaScript evaluation in your Happy DOM configuration or run Node.js with the --disallow-code-generation-from-strings flag to prevent VM escape attacks. Then allow JavaScript selectively only for trusted sources.
Learn More
A critical security flaw is reported in Happy DOM, a JavaScript library that implements a web browser without a graphical user interface (headless browser).
The vulnerability is tracked as CVE-2025-61927 (CVSS score 9.4) enables authenticated users to escape the Node.js virtual machine context and execute arbitrary code at the process level, potentially leading to complete system compromise.
The root cause is in the fundamental architecture of JavaScript itself. All classes and functions inherit from the Function object, and by systematically walking through the constructor chain, attackers can obtain direct access to the Function constructor at the process level. Since the Function constructor can evaluate code from strings, this creates a pathway for executing arbitrary code outside the intended sandbox. The exploit's effectiveness varies depending on the module system in use. In CommonJS environments, attackers can access the require() function to import additional Node.js modules and perform a wide range of unauthorized operations. In ECMAScript Module (ESM) environments, while direct access to import or require is not possible, attackers can execute code at the process level and access critical system resources.
Happy DOM has JavaScript evaluation enabled by default which means any received JavaScript code from a visited website will be executed.
Affected versions of Happy DOM include all releases prior to version 20.
Happy DOM v20 and all subsequent releases disable JavaScript evaluation by default, preventing consumers from accidentally executing untrusted code. For applications that require JavaScript evaluation functionality, administrators must explicitly enable it by setting the enableJavaScriptEvaluation option to true. The update also includes comprehensive warnings that alert users when JavaScript evaluation is enabled in potentially insecure environments, helping to prevent accidental security misconfigurations.
Organizations using vulnerable versions of Happy DOM should update the software to version 20 or above.
For environments where JavaScript evaluation functionality is necessary, implementing the --disallow-code-generation-from-strings flag when running Node.js provides a layer of protection. This flag prevents the use of eval() and the Function() constructor at the process level, closing the loophole that enables the VM escape. Importantly, this restriction allows eval() and Function() to continue operating within the Happy DOM VM without any known security risks, maintaining functionality but preventing the critical escape mechanism.
Organizations unable to immediately upgrade to version 20 should implement an interim mitigation strategy by manually disabling JavaScript evaluation within Happy DOM unless the content being processed originates from completely trusted sources.
