## Happy-DOM Security Alert: Critical RCE Flaw (CVE-2026-33943) in ECMAScriptModuleCompiler A critical remote code execution (RCE) vulnerability has been disclosed in the popular JavaScript testing library happy-dom. The flaw, tracked as CVE-2026-33943, resides in the library's `ECMAScriptModuleCompiler` component. It allows an attacker to inject and execute arbitrary JavaScript code by manipulating unsanitized content within `export { }` declarations of ES module scripts processed by the library. This is not a theoretical weakness; it is a direct path for code injection that could compromise any application or service using a vulnerable version of happy-dom for server-side rendering or DOM simulation. The vulnerability specifically affects the `ECMAScriptModuleCompiler`'s handling of export declarations. The compiler directly interpolates user-controlled input without proper sanitization, enabling an attacker to craft malicious ES module scripts that, when processed, lead to the execution of attacker-defined code in the context of the Node.js process. The security advisory from the project maintainers, capricorn86, confirms the severity and the potential for RCE. The issue prompted an immediate patch, with versions from 20.8.4 to 20.8.7 being vulnerable, and version 20.8.8 containing the fix. This vulnerability places thousands of JavaScript projects, particularly those in testing, web scraping, and server-side rendering pipelines, at immediate risk. The automated dependency update PRs, like the one from RenovateBot, are now critical security patches, not routine maintenance. Developers must prioritize updating their dependency from any version before 20.8.8 to the patched release. Failure to apply this update leaves applications open to a severe attack vector where crafted input could lead to full system compromise, data theft, or further network penetration, depending on the permissions of the Node.js process. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, vulnerability, javascript, npm, CVE-2026-33943 - **Credibility**: unverified - **Published**: 2026-03-27 11:27:29 - **ID**: 37476 - **URL**: https://whisperx.ai/en/intel/37476