Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code
- Severity:
- High
Description
A code injection vulnerability in ECMAScriptModuleCompiler allows an attacker to achieve Remote Code Execution (RCE) by injecting arbitrary JavaScript expressions inside export { } declarations in ES module scripts processed by happy-dom.
Recommendation
Update the happy-dom package to the latest compatible version. Followings are version details:
- Affected version(s): >= 15.10.0, <= 20.8.7
- Patched version(s): 20.8.8
References
Related Issues
- happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757
- happy-dom's `--disallow-code-generation-from-strings` is not sufficient for isolating untrusted JavaScript - CVE-2025-62410
- Happy DOM: VM Context Escape can lead to Remote Code Execution - CVE-2025-61927
- jsPDF has a PDF Object Injection via Unsanitized Input in addJS Method - CVE-2026-25755
- Tags:
- npm
- happy-dom
Anything's wrong? Let us know Last updated on March 26, 2026