Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
- Severity:
- High
Description
happy-dom may attach cookies from the current page origin (window.location) instead of the request target URL when fetch(..., { credentials: "include" }) is used. This can leak cookies from origin A to destination B.
Recommendation
Update the happy-dom package to the latest compatible version. Followings are version details:
- Affected version(s): < 20.8.9
- Patched version(s): 20.8.9
References
Related Issues
- Happy DOM ECMAScriptModuleCompiler: unsanitized export names are interpolated as executable code - CVE-2026-33943
- happy-dom allows for server side code to be executed by a <script> tag - CVE-2024-51757
- locize Client SDK: Cross-origin DOM XSS & Handler Hijack Through Missing e.origin Validation in InContext Editor - CVE-2026-41886
- Happy DOM: VM Context Escape can lead to Remote Code Execution - CVE-2025-61927
You might also like:
- Tags:
- npm
- happy-dom
Anything's wrong? Let us know Last updated on March 29, 2026