External risk intelligence

Happy DOM Code Injection Vulnerability Enables Remote Code Execution.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-33943

Happy DOM is a library used by developers within Node.js environments for testing or server-side DOM manipulation. It is not an internet-facing service, appliance, or gateway, and its components are typically invoked during local development or internal build/test pipelines rather than deployed as public-facing infrastructure.

Code Injection

Capricorn86 Happy Dom

15.10.0 to before 20.8.8

Halo Surface Signal: 1 out of 5 — much less likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability exists in the Happy DOM JavaScript library, affecting how it processes module scripts. This issue could allow attackers to execute arbitrary code remotely if specific conditions are met, potentially leading to significant compromise of affected systems.

  • Code injection in a JavaScript library.
  • Critical issue impacts remote code execution.
  • Confirm if this library is in use.

Attack Path

How an attacker could exploit the issue

An attacker could execute arbitrary code on a system by submitting specially crafted JavaScript code through a feature that processes ES module scripts. This code injection occurs within `export { }` declarations because the `ECMAScriptModuleCompiler` directly embeds unsanitized input, and a filtering mechanism fails to block template literals. This vulnerability allows remote code execution when processed by happy-dom.

  • No authentication required.
  • Malicious script in module exports.
  • Remote code execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, an attacker could achieve remote code execution by injecting malicious JavaScript expressions into module scripts processed by happy-dom. This occurs when the compiler directly interpolates unsanitized content into generated code, bypassing quote filtering.

  • Arbitrary JavaScript code execution.
  • Injection via specially crafted module scripts.
  • System compromise and data manipulation.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world remediation for this critical code injection vulnerability in happy-dom requires identifying all instances of the affected versions, confirming their reachability and business criticality, and then engaging the appropriate teams for patching or mitigation. Application owners or platform teams responsible for Node.js environments are likely to manage these libraries. The first practical step is an asset inventory to locate all happy-dom deployments, followed by an exposure assessment to prioritize remediation efforts.

  • Application owners should manage remediation.
  • Verify happy-dom deployment reachability.
  • Plan updates during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Happy DOM?

Happy DOM is a library used in Node.js environments to simulate a web browser environment. Developers primarily use it to test web applications or perform server-side DOM manipulation without needing a full graphical browser interface. It allows code that normally runs in a browser to execute within server-side JavaScript projects.

What does CVE-2026-33943 mean for code security?

This vulnerability is classified as Improper Control of Generation of Code. It occurs because the software's module compiler fails to properly sanitize input before embedding it into executable code. Specifically, the library's filtering mechanism is incomplete, allowing attackers to use backticks to bypass protections and inject their own malicious JavaScript commands into the system.

How can an attacker trigger this vulnerability?

The vulnerability is triggered when the library processes a specifically crafted ES module script containing malicious JavaScript within an 'export' declaration. It is important to note that standard, non-malicious module exports or code that does not utilize template literal-based payloads will not trigger the bug. The issue is strictly tied to how the compiler handles unsanitized strings in these specific export statements.

Is my system at risk according to Halo Surface Signal?

Halo Surface Signal indicates that a successful attack is very unlikely for most users. Because Happy DOM is typically a library used in local development or internal build and test pipelines, it is not designed to be an internet-facing gateway or public-facing service. Therefore, your risk depends on whether this library is exposed to untrusted input in a reachable, production-like environment.

What are the first steps to address this issue?

Your first step should be to perform an asset inventory to identify every project or environment where Happy DOM versions 15.10.0 through 20.8.7 are currently in use. Once you have located these instances, verify if any processed data originates from untrusted sources. Finally, coordinate with your development teams to update the library to version 20.8.8 or later, which contains the necessary security fixes.

References