CVE-2026-34226

Name of the Vulnerable Software and Affected Versions Happy DOM versions prior to 20.8.9

Description Happy DOM, a JavaScript implementation of a web browser without a graphical user interface, has an issue where it may attach cookies from the current page origin instead of the request target URL when using fetch(..., { credentials: "include" }). This can lead to the leakage of cookies from one origin to another. The issue is related to cookie selection in getRequestHeaders() within the file packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts, where the originURL used for cookie lookup represents the page URL instead of the request destination URL. A proof-of-concept script demonstrates how this can be exploited by setting cookies on different origins and then triggering a cross-host request with credentials included. This can result in sensitive information disclosure, specifically cookie leakage, impacting applications that rely on happy-dom in authenticated or session-based flows.

Recommendations Update to Happy DOM version 20.8.9 or later.