happy-dom allows for server side code to be executed by a <script> tag

Description

Consumers of the NPM package happy-dom

Recommendation

Update the happy-dom package to the latest compatible version. Followings are version details:

• Affected version(s): < 15.10.2
• Patched version(s): 15.10.2

References

• GHSA-96g7-g7g9-jxw8
• CVE-2024-51757
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript - CVE-2025-62410
• Happy DOM: VM Context Escape can lead to Remote Code Execution - CVE-2025-61927
• HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
• OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer - CVE-2025-50183

Tags:

npm

happy-dom