happy-dom allows for server side code to be executed by a <script> tag

Description

Consumers of the NPM package happy-dom

Recommendation

Update the happy-dom package to the latest compatible version. Followings are version details:

• Affected version(s): < 15.10.2
• Patched version(s): 15.10.2

References

• GHSA-96g7-g7g9-jxw8
• CVE-2024-51757
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain - CVE-2026-22686
• Storybook manager bundle may expose environment variables during build - CVE-2025-68429
• happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript - CVE-2025-62410
• Predictable results in nanoid generation when given non-integer values - CVE-2024-55565

Tags:

npm

happy-dom