Plattform
nodejs
Komponente
happy-dom
Behoben in
20.8.10
CVE-2026-34226 is a high-severity vulnerability affecting Happy DOM versions up to 20.8.9. This vulnerability allows cookies from the current page origin to be attached to requests to different origins when using the fetch API with the credentials: "include" option. This can lead to unintended cookie leakage, potentially exposing sensitive user data. The vulnerability is fixed in version 20.8.9.
The primary impact of CVE-2026-34226 is the potential for cookie leakage. An attacker could exploit this vulnerability in applications using Happy DOM for headless browser automation to intercept requests and steal cookies. This could allow them to impersonate users, access sensitive data, or perform unauthorized actions. The risk is particularly acute in environments where Happy DOM is used to automate tasks involving authentication or access to protected resources. This vulnerability shares similarities with other cross-origin cookie leakage issues, where improper handling of credentials can expose user data.
CVE-2026-34226 was publicly disclosed on 2026-03-27. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. No public proof-of-concept (PoC) exploits have been released, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability's severity and potential impact warrant careful monitoring.
Applications utilizing Happy DOM for headless browser automation, particularly those involved in web scraping, testing, or automated form filling, are at risk. This includes developers and organizations using Happy DOM as a component in their CI/CD pipelines or for automated user interactions.
• nodejs: Use npm audit to check for vulnerable versions of Happy DOM.
npm audit happy-dom@<=20.8.9• nodejs: Inspect application code for usage of fetch with credentials: "include". Search for patterns like fetch(..., { credentials: "include" }).
• generic web: Review application logs for unusual cross-origin requests that might indicate cookie leakage. Monitor for unexpected cookies being sent to third-party domains.
disclosure
Exploit-Status
EPSS
0.03% (10% Perzentil)
CISA SSVC
CVSS-Vektor
The recommended mitigation for CVE-2026-34226 is to upgrade to Happy DOM version 20.8.9 or later. If upgrading is not immediately feasible, consider implementing stricter origin validation within your application to prevent requests to unintended origins. Additionally, review your application's use of the fetch API and ensure that the credentials: "include" option is only used when absolutely necessary and with appropriate security controls. There are no specific WAF rules or detection signatures readily available for this vulnerability, as it's a code-level issue. After upgrading, confirm the fix by testing fetch requests with credentials: "include" to different origins and verifying that cookies are not being leaked.
Actualice la versión de Happy DOM a la 20.8.9 o superior. Esta versión corrige la vulnerabilidad que permite la fuga de cookies entre orígenes al usar la función `fetch` con la opción `credentials: 'include'`.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34226 is a high-severity vulnerability in Happy DOM versions up to 20.8.9 that allows cookies to be leaked to unintended origins when using fetch with credentials: "include".
You are affected if you are using Happy DOM version 20.8.9 or earlier and your application uses the fetch API with credentials: "include".
Upgrade to Happy DOM version 20.8.9 or later. If immediate upgrade is not possible, implement stricter origin validation in your application.
There is no current evidence of active exploitation, but the vulnerability's nature suggests potential for exploitation and PoC development.
Refer to the Happy DOM project's repository and release notes for the official advisory and details on the fix: [https://github.com/happy-dom/happy-dom](https://github.com/happy-dom/happy-dom)
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.