Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
Published: 2026-03-27
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Credential leakage via cross‑origin cookie exposure
Action: Immediate Patch
AI Analysis

Impact

Happy DOM’s fetch implementation incorrectly uses the page origin’s cookies instead of the target URL’s when the option credentials: "include" is set. This can result in cookies from origin A being sent to origin B, exposing sensitive session information. The weakness corresponds to information exposure weaknesses (CWE‑201, CWE‑359).

Affected Systems

Happy DOM releases by Capricorn86 versions prior to 20.8.9 are affected. The implementation is a Node.js JavaScript environment used for server‑side rendering and automated browsing.

Risk and Exploitability

The CVSS score of 7.5 signals high severity, while the EPSS score of less than 1% indicates a low probability of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Because the flaw lies within client‑side JavaScript executing inside Happy DOM, an attacker would need to inject or run code that calls fetch(..., {credentials: "include"}) to a resource on a different origin; this inference is made from the description that the issue occurs when credentials: "include" is used, but the CVE does not detail the exact attack context. The risk to applications using Happy DOM for server‑side rendering or automated browsing is moderate, especially if the code processes untrusted input.

Generated by OpenCVE AI on April 2, 2026 at 05:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Happy DOM to version 20.8.9 or later.

Generated by OpenCVE AI on April 2, 2026 at 05:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-w4gp-fjgq-3q4g Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
History

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Capricorn86 happy Dom
CPEs cpe:2.3:a:capricorn86:happy_dom:*:*:*:*:*:nodejs:*:*
Vendors & Products Capricorn86 happy Dom

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 03:00:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 30 Mar 2026 07:15:00 +0000

Type Values Removed Values Added
First Time appeared Capricorn86
Capricorn86 happy-dom
Vendors & Products Capricorn86
Capricorn86 happy-dom

Sat, 28 Mar 2026 03:15:00 +0000

Type Values Removed Values Added
Description Happy DOM is a JavaScript implementation of a web browser without its graphical user interface. Versions prior to 20.8.9 may attach cookies from the current page origin (`window.location`) instead of the request target URL when `fetch(..., { credentials: "include" })` is used. This can leak cookies from origin A to destination B. Version 20.8.9 fixes the issue.
Title Happy DOM's fetch credentials include uses page-origin cookies instead of target-origin cookies
Weaknesses CWE-201
CWE-359
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Capricorn86 Happy-dom Happy Dom
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T14:25:27.402Z

Reserved: 2026-03-26T16:22:29.033Z

Link: CVE-2026-34226

cve-icon Vulnrichment

Updated: 2026-03-31T14:25:24.297Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-27T22:16:23.113

Modified: 2026-04-01T13:26:49.493

Link: CVE-2026-34226

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-27T21:17:24Z

Links: CVE-2026-34226 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T07:55:19Z

Weaknesses