Skip to main content

Happy Dom EUVDEUVD-2026-16893

| CVE-2026-34226 HIGH
Insertion of Sensitive Information Into Sent Data (CWE-201)
2026-03-27 GitHub_M GHSA-w4gp-fjgq-3q4g
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 27, 2026 - 22:00 euvd
EUVD-2026-16893
Analysis Generated
Mar 27, 2026 - 22:00 vuln.today
CVE Published
Mar 27, 2026 - 21:17 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 4 npm packages depend on happy-dom (4 direct, 0 indirect)

Ecosystem-wide dependent count for version 20.8.9.

DescriptionCVE.org

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (window.location) instead of the request target URL when fetch(..., { credentials: "include" }) is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.

AnalysisAI

Cookie leakage in Happy DOM JavaScript library (all versions prior to 20.8.9) allows remote attackers to steal authentication cookies across origins when fetch() is invoked with credentials:include. The vulnerability stems from the library incorrectly attaching cookies from the current page origin (window.location) rather than the request target URL, enabling cross-origin cookie exfiltration. EPSS data not available, but exploitation requires no authentication (PR:N) with low complexity (AC:L), making this readily exploitable. Upstream fix available (PR/commit); released patched version not independently confirmed.

Technical ContextAI

Happy DOM is a headless browser implementation in JavaScript, commonly used in testing frameworks like Vitest and Jest for DOM manipulation without a real browser. The vulnerability resides in FetchRequestHeaderUtility.ts, where the cookie attachment logic fails to properly validate the origin boundary during fetch operations. When developers use the Fetch API with credentials mode set to 'include', the library should attach only cookies relevant to the destination domain. Instead, it incorrectly attaches cookies from the current execution context's origin (window.location). This violates the Same-Origin Policy (SOP) enforcement that real browsers implement. The root cause maps to CWE-201 (Insertion of Sensitive Information Into Sent Data), where authentication tokens meant for origin A are inadvertently transmitted to origin B. The affected component (cpe:2.3:a:capricorn86:happy-dom) is used extensively in Node.js testing environments where developers simulate browser behavior for unit and integration tests.

RemediationAI

Upgrade to Happy DOM version 20.8.9 or later, which implements proper origin validation in cookie attachment logic as documented in the official release at https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9. The fix is delivered through pull request 2117 (https://github.com/capricorn86/happy-dom/pull/2117) and commit 68324c21d7b98f53f7bb5a7b3e185bda7106e751. Organizations can verify remediation by reviewing FetchRequestHeaderUtility.ts to confirm cookies are now scoped to the request target URL rather than window.location origin. For environments unable to immediately upgrade, implement workarounds by avoiding credentials:include in cross-origin fetch calls, or implement application-layer origin validation before invoking fetch. Update package.json dependencies and run npm audit to identify transitive dependencies that may bundle vulnerable Happy DOM versions.

Vendor StatusVendor

Share

EUVD-2026-16893 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy