GHSA-qpm2-6cq5-7pq5 · Severity: critical · Ecosystem: npm — happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.
Conclusion & alert: CVE-2025-62410 is rated Moderate Risk (46/100): CVSS Critical severity, with low exploitation likelihood (EPSS 0.32%). Mandatory action: Review affected assets and schedule remediation.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-15 | 0.05% | 0.32% | +0.27% |
| 2 | 2025-10-16 | — | 0.05% | — |
Full EPSS history (2 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 9.4 | 4.0 | CRITICAL |
|
— | — | [email protected] |
GHSA-qpm2-6cq5-7pq5 · Severity: critical · Ecosystem: npm — happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript
| vendor | priority | summary | link |
|---|---|---|---|
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2025-62410 |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||