Critical Remote Code Execution Vulnerability in Happy DOM JavaScript Library
A critical security vulnerability, tracked as CVE-2025-61927, has been discovered in the Happy DOM JavaScript library, which is widely used for server-side rendering and testing frameworks. The flaw allows attackers to escape the virtual machine (VM) context, potentially leading to remote code execution on affected systems. Happy DOM, with over 2.7 million weekly downloads, is integrated into numerous applications, amplifying the potential impact of this vulnerability. The root cause of the issue lies in improper isolation of the Node.js VM context in Happy DOM versions 19 and earlier, which fails to adequately sandbox untrusted code. Security researcher Mas0nShi identified that attackers can exploit the JavaScript constructor inheritance chain to access the global Function constructor, enabling arbitrary code execution. In environments using the CommonJS module system, attackers can further leverage the require() function to import and execute additional modules, broadening the attack surface. While ECMAScript module (ESM) environments restrict some capabilities, they are still affected by the core VM context escape. The vulnerability has been assigned a CVSS score of 9.4, underscoring its severity and the urgency for remediation. Millions of applications that rely on Happy DOM for testing or server-side rendering are at risk if they have not updated to a patched version. The flaw enables attackers to bypass intended security boundaries, potentially compromising the host system and any sensitive data processed within the affected environment. Security advisories recommend immediate updates to the latest version of Happy DOM to mitigate the risk. Organizations are urged to review their software supply chain for dependencies on Happy DOM and to apply patches as soon as possible. The vulnerability highlights the risks associated with improper sandboxing in JavaScript environments, especially in widely adopted open-source libraries. No reports of active exploitation have been confirmed at this time, but the public disclosure and technical details increase the likelihood of exploitation attempts. Security teams should monitor for suspicious activity related to Node.js processes and review application logs for signs of compromise. The incident serves as a reminder of the importance of rigorous security testing and isolation in libraries that execute untrusted code. Developers and DevOps teams should prioritize dependency management and vulnerability scanning to reduce exposure to similar flaws in the future.
Timeline
Oct 14, 2025
Happy DOM version 20 fixes CVE-2025-61927
Happy DOM version 20 addressed the vulnerability by disabling JavaScript evaluation by default and adding warnings. The issue affects version 19 and earlier, and users were advised to upgrade and apply additional hardening measures where possible.
Oct 13, 2025
Critical Happy DOM RCE flaw CVE-2025-61927 is disclosed
A critical vulnerability tracked as CVE-2025-61927 was reported in the Happy DOM JavaScript library, with a CVSS score of 9.4. The flaw allows Node.js VM context escape and potential remote code execution in environments that process untrusted HTML.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Vulnerabilities
Organizations
Affected Products
Sources
Related Stories
Critical React Framework Vulnerability Enables Remote Code Execution and Supply Chain Risk
A maximum severity vulnerability, tracked as CVE-2025-55182, was discovered and patched in the React JavaScript framework, affecting all versions since 19.0. The flaw, stemming from insecure deserialization in React Server Components payload handling, allows unauthenticated remote code execution, putting millions of web applications and cloud environments at risk. Security researchers highlighted that exploit code is publicly available, and scans indicate that 39% of cloud environments contain vulnerable React instances or use similarly affected versions of Next.js, a related framework. The vulnerability has existed since at least November 2024, and its widespread impact has prompted urgent patching efforts across the industry. The incident has raised significant concerns about software supply chain security, as React is one of the most widely used front-end frameworks globally, with estimates of 55-87 million websites potentially affected. Cybersecurity experts warn that the increasing complexity and automation in software development, combined with the power of AI, are likely to make such vulnerabilities more frequent and severe. The rapid response from the developer community and security vendors underscores the critical nature of this flaw and the ongoing challenges in securing modern web infrastructure against sophisticated exploitation techniques.
1 months ago
Critical SandboxJS Sandbox-Escape Vulnerabilities Enabling Host Code Execution
Multiple **critical vulnerabilities in *SandboxJS***—a JavaScript sandboxing library used to run untrusted code—were disclosed as enabling **sandbox escape and arbitrary code execution on the host**, with several issues scored **CVSS 10.0**. Reported flaws include **CVE-2026-25520**, **CVE-2026-25586**, **CVE-2026-25587**, and **CVE-2026-25641**, described as providing multiple paths to break out of SandboxJS’s isolation guarantees and take over the underlying runtime environment. Technical details published for **CVE-2026-25520** indicate that, prior to *SandboxJS* `0.8.29`, **function return values are not wrapped**, allowing attackers to use `Object.values()`/`Object.entries()` to obtain an array containing the host’s `Function` constructor (e.g., via `Array.prototype.at`), which can then be used to execute code outside the sandbox; the issue is fixed in `0.8.29` (with a referenced upstream commit and GitHub Security Advisory). Additional reported escape vectors include manipulation of supposedly safe prototypes (e.g., overwriting `Map.prototype.has` via a bug in the library’s `let` implementation) and a **host prototype pollution** condition tied to unsafe property-checking logic, collectively undermining the library’s core containment model.
1 months ago
Critical Unauthenticated RCE Vulnerabilities in React Server Components and Next.js
A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2025-55182, has been discovered in React Server Components, affecting core React packages (`react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`) in versions 19.0, 19.1.0, 19.1.1, and 19.2.0. The flaw arises from unsafe deserialization of payloads sent to React Server Function endpoints, allowing attackers to execute arbitrary code on the server without authentication. This vulnerability also impacts frameworks and bundlers that integrate React Server Components, including Next.js (assigned CVE-2025-66478), Vite, Parcel, React Router, RedwoodSDK, and Waku. Even default configurations and newly generated Next.js applications are vulnerable, and exploitation requires only a crafted HTTP request, with no developer error or special setup needed. Immediate patching is strongly advised, as the vulnerability is rated CVSS 10.0 (critical) and has been shown to be highly reliable in exploitation tests. Patched versions are available for React (19.0.1, 19.1.2, 19.2.1) and Next.js (15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7), and users are urged to upgrade all affected packages and dependencies. Some hosting providers, such as Vercel, have implemented temporary platform-level mitigations, but these are not a substitute for patching. Security researchers estimate that up to 39% of cloud environments may contain vulnerable instances, underscoring the urgency of remediation across the React and Next.js ecosystem.
1 months ago