Home > Vulnerability Database > CVE-2025-62410

Mend.io Vulnerability Database

CVE-2025-62410

Good to know:

Date: October 15, 2025

In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.

Severity Score

9.0

Related Resources (5)

Url: https://nvd.nist.gov/vuln/detail/CVE-2025-62410

Url: https://github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5

Url: https://github.com/capricorn86/happy-dom

Url: https://github.com/capricorn86/happy-dom/commit/f4bd4ebe3fe5abd2be2bcea1c07043c8b0b70eea

Url: https://www.mend.io/vulnerability-database/CVE-2025-62410

Severity Score

9.0

Weakness Type (CWE)

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1321

Top Fix

Upgrade Version

Upgrade to version happy-dom - 20.0.2

Learn More

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2025-62410

Good to know:

Date: October 15, 2025

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?