Horizon Alert
Summary of the vulnerability and why it matters
A critical vulnerability exists in the Happy DOM JavaScript library, affecting how it processes module scripts. This issue could allow attackers to execute arbitrary code remotely if specific conditions are met, potentially leading to significant compromise of affected systems.
- Code injection in a JavaScript library.
- Critical issue impacts remote code execution.
- Confirm if this library is in use.
Attack Path
How an attacker could exploit the issue
An attacker could execute arbitrary code on a system by submitting specially crafted JavaScript code through a feature that processes ES module scripts. This code injection occurs within `export { }` declarations because the `ECMAScriptModuleCompiler` directly embeds unsanitized input, and a filtering mechanism fails to block template literals. This vulnerability allows remote code execution when processed by happy-dom.
- No authentication required.
- Malicious script in module exports.
- Remote code execution.
Live Threat
Current exploitation, exposure, and threat context
When supported by the advisory, an attacker could achieve remote code execution by injecting malicious JavaScript expressions into module scripts processed by happy-dom. This occurs when the compiler directly interpolates unsanitized content into generated code, bypassing quote filtering.
- Arbitrary JavaScript code execution.
- Injection via specially crafted module scripts.
- System compromise and data manipulation.
Operational Fix
Recommended remediation, mitigation, and detection steps
Real-world remediation for this critical code injection vulnerability in happy-dom requires identifying all instances of the affected versions, confirming their reachability and business criticality, and then engaging the appropriate teams for patching or mitigation. Application owners or platform teams responsible for Node.js environments are likely to manage these libraries. The first practical step is an asset inventory to locate all happy-dom deployments, followed by an exposure assessment to prioritize remediation efforts.
- Application owners should manage remediation.
- Verify happy-dom deployment reachability.
- Plan updates during maintenance windows.