Vulnerability in Happy DOM Allow Arbitrary Host Code Execution

Threat: Vulnerability

Targeted Region: Global

Targeted Sector: Technology & IT

Criticality: Critical

EXECUTIVE SUMMARY:

A critical remote-code-execution vulnerability CVE-2025-61927, CVSS 9.4 in Happy DOM — a widely used headless DOM implementation with 2.7M weekly downloads — allows untrusted scripts running inside the library’s Node.js VM context to escape to the host process (Happy DOM v19 and lower are affected), potentially giving attackers access to process-level objects, modules, files and enabling arbitrary command execution, data exfiltration, lateral movement and persistence.

RECOMMENDATION:

We strongly recommend you update Happy DOM to version 20.

REFERENCES:

The following reports contain further technical details:

https://securityonline.info/cve-2025-61927-cvss-9-4-critical-rce-flaw-discovered-in-happy-dom-over-2-7-million-weekly-downloads-impacted/

Recent Advisories

TwoNet Hacktivist Campaign Targets OT and ICS Infrastructure

October 13, 2025

Stealit Malware Campaign Targeting Windows Users for Data Exfiltration

October 13, 2025

Spoofed Homebrew Sites Deliver Information-Stealing Malware to macOS

October 13, 2025

ChaosBot Malware Leveraging CiscoVPN Credentials to Execute Remote Commands

October 13, 2025

Vulnerability in Happy DOM Allow Arbitrary Host Code Execution

Recent Advisories

Report an Incident