AIKIDO-2024-10426
happy-dom is vulnerable to Remote Code Execution (RCE)
98
Critical Risk
This Affects:
happy-domTL;DR
Affected versions of the package are vulnerable to Remote Code Execution (RCE). This vulnerability occurs when an attacker injects a server-side script into the src attribute of a <script> tag. Due to the usage of child_process.execFileSync() in happy-dom to perform synchronous fetch operations, an attacker can escape from the URL string, injecting arbitrary code. For example, an attacker could exploit this by using a payload like:document.write(script src="https://localhost:8080/'+require('child_process').execSync('id')+'">/script>); This would allow the attacker to execute arbitrary commands on the server, potentially compromising the system.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
happy-dom is vulnerable to Remote Code Execution (RCE) in versions 13.0.0 - 15.10.1.
How to fix this
Upgrade the happy-dom library to the patch version.
Links
GitHub Releases
Fix Commits
github.com/capricorn86/happy-dom/commit/5ee0b1676d4ce20cc2a70d1c9c8d6f1e3f57efacgithub.com/capricorn86/happy-dom/commit/d23834c232f1cf5519c9418b073f1dcec6b2f0fd
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant