NextGuard
UNKNOWNCVE-2026-34226

Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies

Platform

nodejs

Component

happy-dom

Fixed in

20.8.9

View on NVD

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.

How to fix

Actualice la versión de Happy DOM a la 20.8.9 o superior. Esta versión corrige la vulnerabilidad que permite la fuga de cookies entre orígenes al usar la función `fetch` con la opción `credentials: 'include'`.

Monitor your dependencies automatically

Get notified when new vulnerabilities affect your projects. Free forever.

Start free