CVE-2025-62410 is a prototype pollution vulnerability affecting the happy-dom JavaScript DOM implementation library maintained by capricorn86. In versions prior to 20.0.2, the security measure --disallow-code-generation-from-strings intended to isolate untrusted JavaScript code is insufficient because untrusted scripts and the main application execute within the same V8 isolate or process context. This shared environment allows attackers to perform prototype pollution attacks by injecting malicious payloads that modify the prototype chain of JavaScript objects. Such pollution can hijack critical references, for example, the Node.js 'process' object, enabling attackers to manipulate environment variables, spawn processes, or escalate privileges. Additionally, attackers can flip checks on undefined properties, altering control flow and bypassing security logic. This vulnerability is a regression or incomplete fix of CVE-2025-61927, indicating prior attempts to address prototype pollution were inadequate. The vulnerability has a CVSS 4.0 score of 9.4, reflecting network attack vector, low attack complexity, no privileges required, but user interaction needed, and high impact on confidentiality, integrity, and availability. No public exploits are known yet, but the risk is severe given the potential for remote code execution and application compromise. The issue is fixed in happy-dom version 20.0.2, and users are urged to upgrade promptly.

For European organizations, this vulnerability poses a significant risk especially to those using happy-dom in server-side rendering, testing environments, or any JavaScript execution contexts that process untrusted code. Successful exploitation can lead to remote code execution, data exfiltration, privilege escalation, and disruption of services. This can compromise sensitive data confidentiality and integrity, and cause availability outages. Organizations in sectors such as finance, healthcare, and critical infrastructure that rely on Node.js ecosystems and JavaScript DOM emulation are particularly vulnerable. The shared process execution model increases the attack surface, making containment difficult. Given the high CVSS score and critical severity, failure to patch could lead to severe operational and reputational damage, regulatory non-compliance under GDPR, and potential legal liabilities.

European organizations should immediately upgrade all instances of happy-dom to version 20.0.2 or later, where the vulnerability is fixed. Additionally, they should audit their use of untrusted JavaScript execution within the same process or isolate to ensure proper sandboxing. Employ strict input validation and content security policies to limit injection of malicious scripts. Consider architectural changes to separate untrusted code execution into distinct processes or containers to prevent prototype pollution from affecting the main application. Implement runtime monitoring and anomaly detection to identify suspicious prototype modifications or unusual process behavior. Regularly review dependency versions and subscribe to security advisories for timely patching. Finally, conduct security testing focused on prototype pollution and code injection vectors in development and staging environments.