VYPR

npm package

happy-dom

pkg:npm/happy-dom

Vulnerabilities (5)

  • CVE-2026-34226HigMar 27, 2026
    affected < 20.8.9fixed 20.8.9

    Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. Th

  • CVE-2026-33943HigMar 27, 2026
    affected >= 15.10.0, < 20.8.8fixed 20.8.8

    Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaSc

  • CVE-2025-62410CriOct 15, 2025
    affected >= 19.0.0, < 20.0.2fixed 20.0.2

    In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/process, so attackers can deploy prototype po

  • CVE-2025-61927HigOct 10, 2025
    affected < 20.0.0fixed 20.0.0

    Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environ

  • CVE-2024-51757CriNov 6, 2024
    affected < 15.10.2fixed 15.10.2

    happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version