VulnerableCode Package Details - pkg:npm/happy-dom@2.48.0

Search for packages

Vulnerability	Summary	Fixed by
VCID-37t5-mg2s-dfbh Aliases: CVE-2024-51757 GHSA-96g7-g7g9-jxw8	happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.	15.10.2 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-hvjv-qpkc-kug7 Aliases: CVE-2025-61927 GHSA-37j7-fg3j-429f	Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. Version 20.0.0 patches the issue by changing JavaScript evaluation to be disabled by default.	20.0.0 Affected by 3 other vulnerabilities. This version is affected by these other vulnerabilities: {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }} {{ fixed_by_vuln.vulnerability_id }}
VCID-vu96-bjvq-4bex Aliases: CVE-2026-34226 GHSA-w4gp-fjgq-3q4g	Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.	20.8.9 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-37t5-mg2s-dfbh
Aliases:
CVE-2024-51757
GHSA-96g7-g7g9-jxw8

happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom. Users are advised to upgrade to version 15.10.2. There are no known workarounds for this vulnerability.

15.10.2
Affected by 3 other vulnerabilities.

VCID-hvjv-qpkc-kug7
Aliases:
CVE-2025-61927
GHSA-37j7-fg3j-429f

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node.js VM Context is not an isolated environment, and if the user runs untrusted JavaScript code within the Happy DOM VM Context, it may escape the VM and get access to process level functionality. It seems like what the attacker can get control over depends on if the process is using ESM or CommonJS. With CommonJS the attacker can get hold of the `require()` function to import modules. Happy DOM has JavaScript evaluation enabled by default. This may not be obvious to the consumer of Happy DOM and can potentially put the user at risk if untrusted code is executed within the environment. Version 20.0.0 patches the issue by changing JavaScript evaluation to be disabled by default.

20.0.0
Affected by 3 other vulnerabilities.

VCID-vu96-bjvq-4bex
Aliases:
CVE-2026-34226
GHSA-w4gp-fjgq-3q4g

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.

20.8.9
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:42:19.179254+00:00	GitLab Importer	Affected by	VCID-vu96-bjvq-4bex	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/happy-dom/CVE-2026-34226.yml	38.6.0
2026-06-12T20:23:56.777013+00:00	GitLab Importer	Affected by	VCID-hvjv-qpkc-kug7	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/happy-dom/CVE-2025-61927.yml	38.6.0
2026-06-12T19:45:31.230375+00:00	GitLab Importer	Affected by	VCID-37t5-mg2s-dfbh	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/happy-dom/CVE-2024-51757.yml	38.6.0