Platform
nodejs
Component
happy-dom
Fixed in
15.10.3
15.10.2
CVE-2024-51757 represents a critical Remote Code Execution (RCE) vulnerability discovered in the happy-dom Node.js package. This vulnerability allows attackers to potentially execute arbitrary code on systems utilizing vulnerable versions of the package. The vulnerability is patched in version 15.10.2, and users are strongly advised to upgrade immediately. No easy workarounds are currently known.
The impact of CVE-2024-51757 is severe due to its RCE nature. An attacker who can exploit this vulnerability can gain complete control over the affected system. This could involve installing malware, stealing sensitive data, modifying system configurations, or using the compromised system as a launchpad for further attacks within the network. The scope of potential damage is significant, particularly in environments where happy-dom is used in automated testing or server-side rendering scenarios, potentially exposing backend systems.
CVE-2024-51757 was publicly disclosed on November 6, 2024. The vulnerability stems from an issue within happy-dom's handling of certain DOM events, allowing for code injection. While no active exploitation campaigns have been publicly reported as of this writing, the critical severity and ease of exploitation suggest a high probability of exploitation if left unpatched. Monitor security advisories and threat intelligence feeds for any indications of ongoing attacks.
Exploit Status
EPSS
0.66% (71% percentile)
CISA SSVC
The primary mitigation for CVE-2024-51757 is to immediately upgrade the happy-dom package to version 15.10.2 or later. Given the RCE nature of the vulnerability, there are no readily available or recommended workarounds beyond upgrading. Consider temporarily disabling features that rely on happy-dom until the upgrade can be completed. Monitor your Node.js project dependencies regularly for known vulnerabilities using tools like npm audit or yarn audit to proactively identify and address potential security risks.
Update the happy-dom library to version 15.10.2 or higher. This will resolve the vulnerability that allows server-side code execution via the `<script>` tag. You can update the library using npm or yarn.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-51757 is a critical Remote Code Execution (RCE) vulnerability in the happy-dom Node.js package, allowing attackers to execute arbitrary code. It has a CVSS score of 9.5.
You are affected if you are using a version of happy-dom prior to 15.10.2. Check your project dependencies immediately.
Upgrade the happy-dom package to version 15.10.2 or later using npm or yarn. There are no known workarounds.
While no active exploitation campaigns have been publicly reported, the critical severity suggests a high probability of exploitation if left unpatched.
Refer to the GitHub issue [#1585](https://github.com/capricorn86/happy-dom/issues/1585) for details and updates.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.