AIKIDO-2024-10426
happy-dom is vulnerable to Remote Code Execution (RCE)
98
Critical
happy-dom js
AIKIDO-2024-10426: happy-dom is vulnerable to Remote Code Execution (RCE) in versions 13.0.0 - 15.10.0.
Remote Code Execution (RCE)
Vuln in 13.0.0 - 15.10.0
Fixed in 15.10.1
No CVE available
TL;DR
Affected versions of the package are vulnerable to remote code execution. It is possible to inject a server-side script into the "src" of a <script> tag. As happy-dom uses child_process.execFileSync() in order to perform the fetch synchronous, the script could be injected by escaping from the URL string. e.g. document.write(`<script src="https://localhost:8080/'+require('child_process').execSync('id')+'"></script>`);
Who does this affect?
You're affected if you are using a version which is within vulnerability ranges.
How can it be fixed?
Upgrade happy-dom library to patch version.
Background info
Don’t be left in the dark
With in-house intel and access to top vulnerability databases, see it all with Aikido.
© 2024 Aikido Security BV | BE0792914919
🇪🇺 Grauwpoort 1, 9000 Ghent, Belgium
🇺🇸 95 Third St, 2nd Fl, San Francisco, CA 94103, US