Home

Description

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.

PUBLISHED Reserved 2026-03-26 | Published 2026-03-27 | Updated 2026-03-31 | Assigner GitHub_M




HIGH: 7.5CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Problem types

CWE-201: Insertion of Sensitive Information Into Sent Data

CWE-359: Exposure of Private Personal Information to an Unauthorized Actor

Product status

< 20.8.9
affected

References

github.com/...py-dom/security/advisories/GHSA-w4gp-fjgq-3q4g

github.com/capricorn86/happy-dom/pull/2117

github.com/...ommit/68324c21d7b98f53f7bb5a7b3e185bda7106e751

github.com/...c/fetch/utilities/FetchRequestHeaderUtility.ts

github.com/capricorn86/happy-dom/releases/tag/v20.8.9

cve.org (CVE-2026-34226)

nvd.nist.gov (CVE-2026-34226)

Download JSON