Critical Happy-DOM Vulnerability CVE-2025-61927 Exposes Systems to Remote Code Execution Risk

A critical security vulnerability has been identified in Happy-DOM versions 19 and earlier, prompting urgent migration to version 20. The flaw, tracked as CVE-2025-61927 (GHSA-37j7-fg3j-429f), enables VM context escape that grants access to process-level functionality, creating a direct path to remote code execution on affected systems. The vulnerability was disclosed through GitHub's coordinated security advisory process, with the patched version 20.0.0 now available for immediate deployment.

The Happy-DOM library, widely used for server-side DOM manipulation and testing environments, contains a sandbox escape vector that bypasses intended VM boundaries. Security researchers identified that the vulnerability permits unauthorized access to system-level resources beyond the isolated JavaScript context, fundamentally undermining the security model of applications relying on Happy-DOM for headless browser operations or testing automation. The defect affects any implementation using Happy-DOM v19.0.2 or prior releases, with no known workarounds other than upgrading.

The discovery raises significant risk for development teams and organizations that integrate Happy-DOM in CI/CD pipelines, test suites, or production environments involving untrusted content. Given the library's prevalence in the JavaScript ecosystem, the attack surface could be substantial. Security teams should prioritize auditing dependencies and applying the version 20 update without delay. The NVD vulnerability database has published full technical details for CVE-2025-61927, and affected maintainers are advised to monitor for any downstream patches from dependent projects.