2404254 – (CVE-2025-62410) CVE-2025-62410 happy-dom: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom

Bug 2404254 (CVE-2025-62410) - CVE-2025-62410 happy-dom: --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom

Summary: CVE-2025-62410 happy-dom: --disallow-code-generation-from-strings is not suff...

Keywords:
Status:	NEW
Alias:	CVE-2025-62410
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2404264 2404265
Blocks:
TreeView+	depends on / blocked

Reported:	2025-10-15 18:01 UTC by OSIDB Bzimport
Modified:	2025-10-17 12:20 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-10-15 18:01:53 UTC

In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.

Note You need to log in before you can comment on or make changes to this bug.