happy-dom allows for server side code to be executed by a <script> tag

Description

Consumers of the NPM package happy-dom

Recommendation

Update the happy-dom package to the latest compatible version. Followings are version details:

• Affected version(s): < 15.10.2
• Patched version(s): 15.10.2

References

• GHSA-96g7-g7g9-jxw8
• CVE-2024-51757
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• Strapi allows Server-Side Request Forgery in Webhook function - CVE-2024-52588
• Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code - CVE-2026-33943
• Happy DOM: VM Context Escape can lead to Remote Code Execution - CVE-2025-61927
• happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript - CVE-2025-62410

Tags:

npm

happy-dom