Platform
nodejs
Component
happy-dom
Fixed in
15.10.1
20.8.8
CVE-2026-33943 describes a Remote Code Execution (RCE) vulnerability found in the happy-dom Node.js module. This flaw allows attackers to inject arbitrary JavaScript expressions into ES module scripts processed by the module's ECMAScriptModuleCompiler, resulting in potentially complete system compromise. The vulnerability impacts versions of happy-dom prior to 20.8.8, and a patch has been released.
The vulnerability lies in the ECMAScriptModuleCompiler component, specifically how it handles export { } declarations within ES module scripts. The compiler directly interpolates unsanitized content into generated code, effectively allowing an attacker to inject malicious JavaScript. The quote filter's failure to strip backticks enables the use of template literals to bypass sanitization, making exploitation relatively straightforward. Successful exploitation could allow an attacker to execute arbitrary code within the Node.js process running the vulnerable happy-dom module, potentially leading to data theft, system takeover, or denial of service.
This vulnerability was publicly disclosed on 2026-03-26. No public proof-of-concept (PoC) code has been released at the time of writing, but the vulnerability's nature and the lack of effective sanitization suggest a high likelihood of PoC development. Its severity and ease of exploitation could lead to active exploitation campaigns. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.08% (24% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to version 20.8.8 or later of the happy-dom module. If upgrading is not immediately feasible, consider implementing input validation and sanitization on any data used within ES module scripts processed by happy-dom. While a direct workaround is limited, carefully reviewing and restricting the sources of ES module scripts used with happy-dom can reduce the attack surface. After upgrading, confirm the fix by attempting to load a malicious ES module script and verifying that it does not execute arbitrary code.
Update to version 20.8.8 or higher. This version fixes the code injection vulnerability in the ECMAScriptModuleCompiler.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-33943 is a Remote Code Execution vulnerability in the happy-dom Node.js module, allowing attackers to inject JavaScript code via ES module scripts.
You are affected if you are using happy-dom versions prior to 20.8.8 and process ES module scripts.
Upgrade to version 20.8.8 or later of the happy-dom module. If upgrading is not possible, implement strict input validation and sanitization.
While no active exploitation has been confirmed, the vulnerability's nature suggests a high likelihood of exploitation.
Refer to the happy-dom project's repository or website for the official advisory and release notes.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.