CVE-2024-51757
published 2024-11-06CVE-2024-51757: happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the…
PriorityP354critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.74%
50.0th percentile
happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| capricorn86 | happy-dom | < 15.10.2 | 15.10.2 |
| capricorn86 | happy-dom | >= 0 < 15.10.2 | 15.10.2 |
| capricorn86 | happy-dom | >= 15.10.0 < 20.8.8 | 20.8.8 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
ghsa·2026-03-26
CVE-2026-33943 [HIGH] CWE-94 Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
### Summary
A code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.
### Details
**Vulnerable file**: `packages/happy-dom/src/module/ECMAScriptModuleCompiler.ts`, lines 371-385
The "Export object" handler extracts content from `export { ... }` using the regex `export\s*{([^}]+)}`, then generates
OSV
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
osv·2026-03-26
CVE-2026-33943 [HIGH] Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
### Summary
A code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside `export { }` declarations in ES module scripts processed by happy-dom. The compiler directly interpolates unsanitized content into generated code as an executable expression, and the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization.
### Details
**Vulnerable file**: `packages/happy-dom/src/module/ECMAScriptModuleCompiler.ts`, lines 371-385
The "Export object" handler extracts content from `export { ... }` using the regex `export\s*{([^}]+)}`, then generates
OSV
happy-dom allows for server side code to be executed by a <script> tag
osv·2024-11-06
CVE-2024-51757 [CRITICAL] happy-dom allows for server side code to be executed by a <script> tag
happy-dom allows for server side code to be executed by a tag
### Impact
Consumers of the NPM package `happy-dom`
### Patches
The security vulnerability has been patched in v15.10.2
### Workarounds
No easy workarounds to my knowledge
### References
[#1585](https://github.com/capricorn86/happy-dom/issues/1585)
GHSA
happy-dom allows for server side code to be executed by a <script> tag
ghsa·2024-11-06
CVE-2024-51757 [CRITICAL] CWE-79 happy-dom allows for server side code to be executed by a <script> tag
happy-dom allows for server side code to be executed by a tag
### Impact
Consumers of the NPM package `happy-dom`
### Patches
The security vulnerability has been patched in v15.10.2
### Workarounds
No easy workarounds to my knowledge
### References
[#1585](https://github.com/capricorn86/happy-dom/issues/1585)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/capricorn86/happy-dom/commit/5ee0b1676d4ce20cc2a70d1c9c8d6f1e3f57efachttps://github.com/capricorn86/happy-dom/commit/d23834c232f1cf5519c9418b073f1dcec6b2f0fdhttps://github.com/capricorn86/happy-dom/issues/1585https://github.com/capricorn86/happy-dom/pull/1586https://github.com/capricorn86/happy-dom/releases/tag/v15.10.2https://github.com/capricorn86/happy-dom/security/advisories/GHSA-96g7-g7g9-jxw8
2024-11-06
Published