CVE-2026-34226
Information Disclosure vulnerability in happy-dom (npm)

Information Disclosure No known exploit

What is CVE-2026-34226 About?

This information disclosure vulnerability in `happy-dom` can lead to the unintended leakage of cookies from a webpage's origin to a different request target. When using `fetch(..., { credentials: "include" })`, the cookie selection incorrectly uses the page's `window.location` instead of the request's target URL. This flaw is easy to exploit under specific conditions, potentially compromising user session data.

Affected Software

happy-dom <20.8.9

Technical Details

The vulnerability lies within happy-dom's getRequestHeaders() function in packages/happy-dom/src/fetch/utilities/FetchRequestHeaderUtility.ts. When a fetch request is made with credentials: "include", the cookieContainer.getCookies() method is incorrectly called with originURL (representing options.window.location.href) instead of the actual request target URL (options.request[PropertySymbol.url]). This design flaw causes cookies associated with the current page's origin (e.g., a.example.com) to be included in a cross-origin fetch request targeting a different domain (e.g., b.example.com), while the cookies associated with the target domain are erroneously omitted, leading to an 'all-or-nothing' incorrect cookie inclusion.

What is the Impact of CVE-2026-34226?

Successful exploitation may allow attackers to achieve cross-origin sensitive information disclosure, specifically the leakage of cookies from one origin to another. This can lead to session hijacking, unauthorized access to user accounts, or other privacy breaches in applications utilizing `happy-dom` for server-side rendering, testing, or proxy-like scenarios where fetch behavior and cookie handling are critical.

What is the Exploitability of CVE-2026-34226?

Exploitation of this vulnerability is relatively straightforward, requiring specific library usage and environmental conditions. The prerequisites include using happy-dom in an environment where fetch requests are made with credentials: "include" across different origins. No specific authentication is required at the happy-dom level, as the vulnerability resides in its internal cookie handling logic. Privilege requirements are limited to running an application that uses happy-dom. The attack is effectively remote in nature, as it involves cross-origin fetch requests initiated by the happy-dom environment. The main constraint is that the application must be designed to make cross-origin fetch calls with credentials, and the attacker would primarily be abusing an existing application's behavior rather than directly injecting code. Risk is increased in scenarios like SSR or testing where happy-dom emulates browser behavior and manages cookies for multiple origins.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2026-34226?

Available Upgrade Options

  • happy-dom
    • <20.8.9 → Upgrade to 20.8.9

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2026-34226?

Similar Vulnerabilities: CVE-2017-5753 , CVE-2014-0077 , CVE-2019-11756 , CVE-2018-8041 , CVE-2020-0080

All Rights reserved 2025
Privacy Policy