Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 4 npm packages depend on happy-dom (4 direct, 0 indirect)
Ecosystem-wide dependent count for version 20.8.9.
DescriptionCVE.org
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (window.location) instead of the request target URL when fetch(..., { credentials: "include" }) is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
AnalysisAI
Cookie leakage in Happy DOM JavaScript library (all versions prior to 20.8.9) allows remote attackers to steal authentication cookies across origins when fetch() is invoked with credentials:include. The vulnerability stems from the library incorrectly attaching cookies from the current page origin (window.location) rather than the request target URL, enabling cross-origin cookie exfiltration. EPSS data not available, but exploitation requires no authentication (PR:N) with low complexity (AC:L), making this readily exploitable. Upstream fix available (PR/commit); released patched version not independently confirmed.
Technical ContextAI
Happy DOM is a headless browser implementation in JavaScript, commonly used in testing frameworks like Vitest and Jest for DOM manipulation without a real browser. The vulnerability resides in FetchRequestHeaderUtility.ts, where the cookie attachment logic fails to properly validate the origin boundary during fetch operations. When developers use the Fetch API with credentials mode set to 'include', the library should attach only cookies relevant to the destination domain. Instead, it incorrectly attaches cookies from the current execution context's origin (window.location). This violates the Same-Origin Policy (SOP) enforcement that real browsers implement. The root cause maps to CWE-201 (Insertion of Sensitive Information Into Sent Data), where authentication tokens meant for origin A are inadvertently transmitted to origin B. The affected component (cpe:2.3:a:capricorn86:happy-dom) is used extensively in Node.js testing environments where developers simulate browser behavior for unit and integration tests.
RemediationAI
Upgrade to Happy DOM version 20.8.9 or later, which implements proper origin validation in cookie attachment logic as documented in the official release at https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9. The fix is delivered through pull request 2117 (https://github.com/capricorn86/happy-dom/pull/2117) and commit 68324c21d7b98f53f7bb5a7b3e185bda7106e751. Organizations can verify remediation by reviewing FetchRequestHeaderUtility.ts to confirm cookies are now scoped to the request target URL rather than window.location origin. For environments unable to immediately upgrade, implement workarounds by avoiding credentials:include in cross-origin fetch calls, or implement application-layer origin validation before invoking fetch. Update package.json dependencies and run npm audit to identify transitive dependencies that may bundle vulnerable Happy DOM versions.
Same technique Information Disclosure
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16893
GHSA-w4gp-fjgq-3q4g