CVE-2025-62410: happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript

October 15, 2025 (updated November 27, 2025)

The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads.

References

github.com/advisories/GHSA-qpm2-6cq5-7pq5
github.com/capricorn86/happy-dom
github.com/capricorn86/happy-dom/commit/f4bd4ebe3fe5abd2be2bcea1c07043c8b0b70eea
github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5
nvd.nist.gov/vuln/detail/CVE-2025-62410

Code Behaviors & Features

Detect and mitigate CVE-2025-62410 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →