R74Tech

**Name of the Vulnerable Software and Affected Versions** Happy DOM versions prior to 20.8.9 **Description** Happy DOM, a JavaScript implementation of a web browser without a graphical user interface, has an issue where it may attach cookies from the current page origin instead of the request target URL when using `fetch(..., { credentials: "include" })`. This can lead to the leakage of cookies from one origin to another. The issue is related to cookie selection in `getRequestHeaders()` within the file `packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts`, where the `originURL` used for cookie lookup represents the page URL instead of the request destination URL. A proof-of-concept script demonstrates how this can be exploited by setting cookies on different origins and then triggering a cross-host request with credentials included. This can result in sensitive information disclosure, specifically cookie leakage, impacting applications that rely on `happy-dom` in authenticated or session-based flows. **Recommendations** Update to Happy DOM version 20.8.9 or later.