CVE-2026-33943 Overview
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface, commonly used in testing environments. A code injection vulnerability exists in the ECMAScriptModuleCompiler component in versions 15.10.0 through 20.8.7 that allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside export { } declarations in ES module scripts processed by Happy DOM.
The vulnerability stems from the compiler directly interpolating unsanitized content into generated code as an executable expression. Additionally, the quote filter does not strip backticks, allowing template literal-based payloads to bypass sanitization mechanisms.
Critical Impact
Attackers can achieve Remote Code Execution by injecting malicious JavaScript expressions through ES module export declarations, potentially compromising server-side applications using Happy DOM for testing or rendering.
Affected Products
- Happy DOM versions 15.10.0 through 20.8.7
- Applications using Happy DOM for server-side DOM simulation
- Testing frameworks integrating vulnerable Happy DOM versions
Discovery Timeline
- 2026-03-27 - CVE CVE-2026-33943 published to NVD
- 2026-03-30 - Last updated in NVD database
Technical Details for CVE-2026-33943
Vulnerability Analysis
This vulnerability is classified as CWE-94 (Improper Control of Generation of Code - Code Injection). The ECMAScriptModuleCompiler in Happy DOM processes ES module scripts and dynamically generates executable code. When handling export { } declarations, the compiler fails to properly sanitize the content being interpolated into the generated code.
The core issue lies in the fact that export names are interpolated directly as executable expressions without adequate input validation. While some filtering exists for quotes, the sanitization mechanism does not account for backtick characters, which can be used to construct template literals in JavaScript. This oversight allows attackers to craft payloads that escape the intended context and execute arbitrary code.
Root Cause
The root cause is insufficient input validation in the ECMAScriptModuleCompiler component. Export names from ES module scripts are processed and interpolated into generated code without ensuring they conform to valid JavaScript identifier patterns. The absence of backtick filtering in the quote sanitization routine enables template literal injection, which attackers can leverage to execute arbitrary JavaScript expressions within the context of the Happy DOM runtime.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker must craft a malicious ES module script containing specially crafted export declarations with injected JavaScript expressions using template literals. When a vulnerable application processes this malicious module through Happy DOM, the injected code executes with the privileges of the application, potentially leading to full server compromise, data exfiltration, or lateral movement within the infrastructure.
The following patch demonstrates the security fix implemented in version 20.8.8:
*/
const IMPORT_REGEXP = /{([^}]+)}|\*\s+as\s+([a-zA-Z0-9-_$]+)|([a-zA-Z0-9-_$]+)/gm;
+/**
+ * Strip invalid variable name characters regexp.
+ */
+const VALID_VARIABLE_NAME_REGEXP = /^[a-zA-Z_$][a-zA-Z0-9_$]*$/;
+
/**
* Valid preceding token before a statement.
*/
Source: GitHub Commit Update
The fix introduces a VALID_VARIABLE_NAME_REGEXP pattern that validates export names against strict JavaScript identifier rules, ensuring only alphanumeric characters, underscores, and dollar signs are permitted, with proper starting character constraints. This prevents injection of arbitrary expressions including template literals.
Detection Methods for CVE-2026-33943
Indicators of Compromise
- Unusual JavaScript errors or unexpected code execution in Happy DOM processing logs
- Presence of template literal syntax (backticks) within ES module export declarations in processed scripts
- Unexpected outbound network connections from Node.js processes running Happy DOM
- Anomalous process spawning or file system access from testing or rendering services
Detection Strategies
- Implement code review processes to identify ES module inputs processed by Happy DOM versions prior to 20.8.8
- Deploy application-layer monitoring to detect malformed or suspicious export declarations in module scripts
- Use static analysis tools to scan for direct usage of vulnerable Happy DOM versions in package.json or lock files
- Enable verbose logging in Happy DOM processing pipelines to capture potential injection attempts
Monitoring Recommendations
- Monitor application logs for JavaScript runtime errors associated with ECMAScript module compilation
- Set up alerts for any child process execution originating from Happy DOM processing contexts
- Track dependency versions across CI/CD pipelines to flag vulnerable Happy DOM installations
- Implement network egress monitoring for services utilizing Happy DOM for server-side rendering
How to Mitigate CVE-2026-33943
Immediate Actions Required
- Upgrade Happy DOM to version 20.8.8 or later immediately
- Audit all applications using Happy DOM versions between 15.10.0 and 20.8.7
- Review logs for any suspicious activity that may indicate prior exploitation
- Implement input validation for any user-controlled content processed through ES modules
Patch Information
The vulnerability has been addressed in Happy DOM version 20.8.8. The patch introduces strict validation of export names using a regular expression pattern that ensures only valid JavaScript identifiers are accepted, preventing code injection through template literals or other expression syntax.
Refer to the GitHub Release v20.8.8 for the official patch release. Additional details about the vulnerability and fix can be found in the GitHub Security Advisory GHSA-6q6h-j7hj-3r64.
Workarounds
- Avoid processing untrusted ES module scripts through Happy DOM until patching is complete
- Implement pre-processing validation to reject modules containing backticks in export declarations
- Isolate Happy DOM processing in sandboxed environments with limited privileges
- Use Content Security Policy or similar controls to restrict code execution scope where applicable
# Upgrade Happy DOM to patched version
npm update happy-dom@20.8.8
# Or specify exact version in package.json
npm install happy-dom@^20.8.8 --save
# Verify installed version
npm list happy-dom
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
