Critical Remote Code Execution Vulnerability in Happy DOM JavaScript Library
A critical security vulnerability, tracked as CVE-2025-61927, has been discovered in the Happy DOM JavaScript library, which is widely used for server-side rendering and testing frameworks. The flaw allows attackers to escape the virtual machine (VM) context, potentially leading to remote code execution on affected systems. Happy DOM, with over 2.7 million weekly downloads, is integrated into numerous applications, amplifying the potential impact of this vulnerability. The root cause of the issue lies in improper isolation of the Node.js VM context in Happy DOM versions 19 and earlier, which fails to adequately sandbox untrusted code. Security researcher Mas0nShi identified that attackers can exploit the JavaScript constructor inheritance chain to access the global Function constructor, enabling arbitrary code execution. In environments using the CommonJS module system, attackers can further leverage the require() function to import and execute additional modules, broadening the attack surface. While ECMAScript module (ESM) environments restrict some capabilities, they are still affected by the core VM context escape. The vulnerability has been assigned a CVSS score of 9.4, underscoring its severity and the urgency for remediation. Millions of applications that rely on Happy DOM for testing or server-side rendering are at risk if they have not updated to a patched version. The flaw enables attackers to bypass intended security boundaries, potentially compromising the host system and any sensitive data processed within the affected environment. Security advisories recommend immediate updates to the latest version of Happy DOM to mitigate the risk. Organizations are urged to review their software supply chain for dependencies on Happy DOM and to apply patches as soon as possible. The vulnerability highlights the risks associated with improper sandboxing in JavaScript environments, especially in widely adopted open-source libraries. No reports of active exploitation have been confirmed at this time, but the public disclosure and technical details increase the likelihood of exploitation attempts. Security teams should monitor for suspicious activity related to Node.js processes and review application logs for signs of compromise. The incident serves as a reminder of the importance of rigorous security testing and isolation in libraries that execute untrusted code. Developers and DevOps teams should prioritize dependency management and vulnerability scanning to reduce exposure to similar flaws in the future.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Happy DOM version 20 fixes CVE-2025-61927
Happy DOM version 20 addressed the vulnerability by disabling JavaScript evaluation by default and adding warnings. The issue affects version 19 and earlier, and users were advised to upgrade and apply additional hardening measures where possible.
Critical Happy DOM RCE flaw CVE-2025-61927 is disclosed
A critical vulnerability tracked as CVE-2025-61927 was reported in the Happy DOM JavaScript library, with a CVSS score of 9.4. The flaw allows Node.js VM context escape and potential remote code execution in environments that process untrusted HTML.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Happy DOM Security Flaw (CVE-2025-61927) Enables VM Context Escape and Remote Code Execution
thecyberexpress.com
Open sourceCVE-2025-61927 (CVSS 9.4): Critical RCE Flaw Discovered in Happy DOM, Over 2.7 Million Weekly Downloads Impacted
securityonline.info
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical vm2 Sandbox Escapes Expose Node.js Hosts to Arbitrary Code Execution
Researchers disclosed a broad set of critical flaws in the `vm2` Node.js sandbox library that allow untrusted JavaScript to break isolation and execute arbitrary code on the host system. Reports describe 11 to 12 vulnerabilities affecting versions across the `3.9.6` to `3.11.1` range, with most rated `CVSS 9.8` to `10.0`, and impacting core protections such as built-in allowlists, object handling, prototype traversal, Promise species behavior, `util.inspect`, `Module._load()`, WebAssembly exception handling, and unsafe `nesting: true` configurations. One tracked issue, **CVE-2026-24118**, is a sandbox breakout through `__lookupGetter__` in versions prior to `3.11.0`, enabling host-level command execution with no privileges or user interaction. The disclosures reinforce long-running concerns that `vm2`'s JavaScript-only isolation model is not dependable for high-risk use cases such as multi-tenant code execution, plugin evaluation, automated grading, and serverless workloads. While some reports recommend upgrading to **vm2 `3.11.2`** for the latest protections, others note that **CVE-2026-44008** and **CVE-2026-44009** remain unpatched and argue that organizations handling untrusted code should consider stronger isolation boundaries such as containers or microVMs. Successful exploitation could expose environment variables, credentials, and files, and enable full compromise of the underlying Node.js host and potential lateral movement.
May 15, 2026
Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js
A wave of disclosures has exposed multiple critical flaws in the Node.js sandbox library **vm2**, showing that untrusted JavaScript can break out of the sandbox and execute commands on the host. GitHub advisories describe several distinct escape paths affecting versions as old as `3.9.6` and, in some cases, up to `3.11.3`, including a breakout through Node.js `inspect`, a Promise species bypass that defeats an earlier patch, prototype pollution through vm2’s bridge to host intrinsic prototypes, and a `NodeVM` misconfiguration path where `nesting: true` lets code bypass `require: false` and load `vm2` recursively to reach modules such as `child_process`. Public proof-of-concepts show attackers recovering the host `process` object and invoking host commands, turning vm2 from a containment boundary into a route to full host compromise. Additional reporting and upstream changes indicate the problems are broader than a single bug. Semgrep documented a new sandbox escape, while vm2 maintainers added regression tests covering descriptor- and prototype-traversal techniques used to recover host constructors such as `Function`, `AsyncFunction`, and `GeneratorFunction`, as well as callback sanitization bypasses tied to Promise handling. A later roundup described five critical vulnerabilities with no practical configuration-based workaround for deployments that execute untrusted code, and urged upgrades to **vm2 `3.11.4` or later**. The advisory backlog on the project’s GitHub page shows a concentrated set of newly published sandbox escape, builtin bypass, and host code execution issues, underscoring that organizations relying on vm2 for isolation should treat affected environments as potentially compromised.
May 25, 2026
Multiple Critical vm2 Sandbox Escapes Enable Host RCE in Node.js Environments
The `vm2` Node.js sandboxing library was hit by a wave of critical sandbox-escape vulnerabilities that let attackers executing untrusted JavaScript break out and run arbitrary commands on the host. Reported flaws include CVE-2026-24120, which bypasses an earlier Promise-species mitigation to reach the host `Function` constructor; CVE-2026-24118, which abuses `__lookupGetter__`, `Buffer.apply`, and prototype traversal; CVE-2026-24781, which leverages `inspect` proxy unwrapping; CVE-2026-26332, which pivots through `SuppressedError`; and CVE-2026-26956, which uses WebAssembly `JSTag` exception handling on Node.js 25+. Across the advisories, affected versions span the `3.10.x` branch and earlier, with several issues requiring only the ability to submit code to a vm2 instance and no authentication or user interaction. The project responded with security releases `v3.10.5` and `v3.11.0`, with `v3.11.0` closing 13 advisories including sandbox escapes, denial-of-service bugs, information disclosure, and prototype pollution. Maintainers also patched a separate `NodeVM` issue tracked as `GHSA-m4wx-m65x-ghrr`, where enabling `nesting: true` with omitted or falsy `require` settings could expose the `vm2` package inside the sandbox and lead to host remote code execution. The releases added broader hardening measures such as `bufferAllocLimit`, stricter handling of dangerous built-ins, and filesystem checks, while maintainers warned that organizations using vm2 to run fully untrusted code should upgrade immediately and avoid treating in-process JavaScript sandboxing as a sole security boundary.
Jun 12, 2026