Bug 2404254 (CVE-2025-62410)

Summary: CVE-2025-62410 happy-dom: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: sdawley
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A sandbox escape in happy-dom allows untrusted JavaScript to run in the same V8 isolate and process as the host application. An attacker can use prototype pollution to overwrite built-in objects (for example Object.prototype) and thereby obtain privileged references such as process or require. This enables arbitrary command execution, information disclosure (access to in-process secrets and environment), and can also be used to cause denial of service (process crash or out-of-memory conditions) or exfiltrate data over the network.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2404264, 2404265    
Bug Blocks:    

Description OSIDB Bzimport 2025-10-15 18:01:53 UTC 
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.