EUVD-2026-16893
GHSA-w4gp-fjgq-3q4g
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
Analysis
Cookie leakage in Happy DOM JavaScript library (all versions prior to 20.8.9) allows remote attackers to steal authentication cookies across origins when fetch() is invoked with credentials:include. The vulnerability stems from the library incorrectly attaching cookies from the current page origin (window.location) rather than the request target URL, enabling cross-origin cookie exfiltration. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all applications and development environments using Happy DOM library versions prior to 20.8.9 by scanning package.json, lock files, and dependency manifests; communicate findings to affected development teams. Within 7 days: Upgrade to Happy DOM version 20.8.9 or later on all systems (verify upstream release confirms security fix); test applications thoroughly in staging before production deployment. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today