Happy DOM is a JavaScript library that simulates a web browser environment without a graphical user interface, often used for server-side rendering, testing, or automation. Versions 15.10.0 through 20.8.7 contain a critical code injection vulnerability (CWE-94) in the ECMAScriptModuleCompiler module. This component compiles ES module scripts and processes export declarations. The vulnerability stems from the compiler directly interpolating unsanitized user-controlled JavaScript expressions inside export { } statements. The sanitization mechanism, specifically the quote filter, does not remove backticks (`), which allows attackers to craft payloads using template literals that bypass filtering. By injecting malicious JavaScript expressions, an attacker can achieve remote code execution (RCE) within the context where happy-dom is used. Exploitation requires user interaction (e.g., supplying malicious module scripts) but no prior authentication, making it accessible to remote attackers. The vulnerability impacts confidentiality, integrity, and availability by enabling arbitrary code execution, potentially leading to data theft, system compromise, or denial of service. The issue was fixed in version 20.8.8 by properly sanitizing input and preventing unsafe code interpolation. No known exploits are currently reported in the wild, but the high CVSS score (8.8) reflects the severity and ease of exploitation.

This vulnerability allows remote attackers to execute arbitrary JavaScript code in environments using vulnerable versions of happy-dom, potentially leading to full system compromise. Organizations relying on happy-dom for server-side rendering, automated testing, or any backend JavaScript execution are at risk of data breaches, unauthorized access, and service disruption. The attack could be leveraged to pivot within networks, deploy malware, or exfiltrate sensitive information. Because happy-dom is used in development and CI/CD pipelines, compromised environments could lead to supply chain risks affecting downstream applications. The lack of authentication requirement and network attack vector increases the threat surface. The vulnerability's impact spans confidentiality, integrity, and availability, making it critical for organizations to address promptly.

The primary mitigation is to upgrade happy-dom to version 20.8.8 or later, where the vulnerability is patched. Organizations should audit their codebases and dependencies to identify usage of affected versions. If immediate upgrade is not feasible, restrict access to environments running happy-dom to trusted users and networks to reduce exposure. Implement input validation and sanitization on any user-supplied module scripts processed by happy-dom. Employ runtime application self-protection (RASP) or sandboxing techniques to limit the impact of potential code execution. Monitor logs and network traffic for suspicious activity related to module compilation or unexpected code execution. Incorporate static and dynamic code analysis tools to detect unsafe code injection patterns. Finally, educate developers about secure coding practices to prevent injection flaws in custom extensions or integrations.