Happy-Dom Prototype Pollution Vulnerability Allowing Arbitrary Code Execution

A vulnerability in Happy-Dom versions prior to 20.0.2 allows for prototype pollution, which can be exploited to hijack important references such as 'process' or manipulate control flow by altering checks of undefined properties. This issue arises because untrusted JavaScript and the application run in the same isolate/process, failing to properly isolate untrusted code. The vulnerability could be exploited to execute arbitrary commands by, for example, abusing the 'spawn' function. The root cause is an incomplete fix for a previous vulnerability, CVE-2025-61927.

Impact

Exploitation of this vulnerability breaks out of Node.js' VM isolation, allowing for arbitrary code execution.

Reproduction

To reproduce this vulnerability, load untrusted JavaScript into a Happy-Dom 'Browser' instance with JavaScript evaluation enabled. The untrusted script can then deploy prototype pollution payloads to hijack references like 'process'. Once 'process' is hijacked, it can be used to execute arbitrary commands, such as creating a file through a command injection payload.

Remediation

Users are advised to update to Happy-Dom version 20.0.2 or later, and to freeze builtins in the global scope to defend against similar attacks. For enhanced security, consider migrating to 'isolated-vm'.