happy-dom

npm4 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting happy-dompage 1 of 1

CVE-2024-51757CRITICALCVSS 9.3EG 0.0✓ Fixed in 15.10.2
2024-11-06
happy-dom is a JavaScript implementation of a web browser without its graphical user interface. Versions of happy-dom prior to 15.10.2 may execute code on the host via a script tag. This would execute code in the user context of happy-dom.…
CVE-2025-61927HIGHCVSS 7.2EG 0.0✓ Fixed in 20.0.0
2025-10-10
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Happy DOM v19 and lower contains a security vulnerability that puts the owner system at the risk of RCE (Remote Code Execution) attacks. A Node…
CVE-2025-62410CRITICALCVSS 9.4EG 0.0✓ Fixed in 20.0.2
2025-10-15
In versions before 20.0.2, it was found that --disallow-code-generation-from-strings is not sufficient for isolating untrusted JavaScript in happy-dom. The untrusted script and the rest of the application still run in the same Isolate/proc…
CVE-2026-33943HIGHCVSS 8.8EG 8.8✓ Fixed in 20.8.8
2026-03-27
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. In versions 15.10.0 through 20.8.7, a code injection vulnerability in `ECMAScriptModuleCompiler` allows an attacker to achieve Remote Code Exec…

Check whether happy-dom is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for happy-dom CVEs against the assets you own.

Start Free Scan →