Plattform
nodejs
Komponente
happy-dom
Behoben in
15.10.3
15.10.2
CVE-2024-51757 represents a critical Remote Code Execution (RCE) vulnerability discovered in the happy-dom Node.js package. This flaw allows attackers to potentially execute arbitrary code on systems utilizing vulnerable versions of the package. The vulnerability impacts versions before 15.10.2, and a patch has been released to address the issue.
The core of this vulnerability lies in how happy-dom handles HTML parsing. An attacker can craft malicious HTML content that, when processed by happy-dom, triggers the execution of arbitrary code. This can lead to complete system compromise, including data theft, malware installation, and denial of service. The impact is particularly severe because happy-dom is often used in testing and automation environments, potentially granting access to sensitive code repositories and infrastructure. Successful exploitation could allow an attacker to gain control of the entire Node.js application and potentially the underlying server.
This vulnerability has gained significant attention due to its critical severity and the widespread use of happy-dom. It was publicly disclosed on November 6, 2024. While no active exploitation campaigns have been definitively confirmed, the availability of a public proof-of-concept increases the likelihood of exploitation. The vulnerability is not currently listed on the CISA KEV catalog.
Applications and systems utilizing happy-dom in their Node.js projects, particularly those involved in automated testing, server-side rendering, or any scenario where user-supplied input is processed by happy-dom, are at significant risk. Projects relying on older, unmaintained versions of happy-dom are especially vulnerable.
• nodejs / server:
npm list happy-domThis command will list the installed version of happy-dom. If the version is less than 15.10.2, the system is vulnerable. • nodejs / server:
npm auditRun an npm audit to identify vulnerabilities in your project dependencies, including happy-dom.
• nodejs / server:
Inspect package.json for happy-dom dependency and check the version number.
disclosure
Exploit-Status
EPSS
0.66% (71% Perzentil)
CISA SSVC
The primary mitigation for CVE-2024-51757 is to immediately upgrade to version 15.10.2 or later of the happy-dom package. Unfortunately, there are no readily available workarounds for this RCE vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider isolating vulnerable applications and limiting their network exposure. Carefully review any HTML content processed by happy-dom to identify and sanitize potentially malicious inputs.
Aktualisieren Sie die happy-dom-Bibliothek auf Version 15.10.2 oder höher. Dies behebt die Schwachstelle, die die Ausführung von serverseitigem Code über das <script>-Tag ermöglicht. Sie können die Bibliothek mit npm oder yarn aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2024-51757 is a critical Remote Code Execution (RCE) vulnerability in the happy-dom Node.js package, allowing attackers to execute arbitrary code. It has a CVSS score of 9.5.
You are affected if you are using a version of happy-dom prior to 15.10.2. Check your project dependencies immediately.
Upgrade the happy-dom package to version 15.10.2 or later using npm or yarn. There are no known workarounds.
While no active exploitation campaigns have been publicly reported, the critical severity suggests a high probability of exploitation if left unpatched.
Refer to the GitHub issue [#1585](https://github.com/capricorn86/happy-dom/issues/1585) for details and updates.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.