## Critical RCE Flaw in Happy-DOM Node.js Module Exposes Projects to Code Injection
A critical security vulnerability in the popular Node.js module `happy-dom` exposes thousands of projects to potential remote code execution (RCE). The flaw, tracked as CVE-2026-33943, resides in the library's `ECMAScriptModuleCompiler`. It allows an attacker to inject arbitrary JavaScript expressions directly into `export { }` declarations within ES module scripts processed by the library. The vulnerability stems from the compiler's direct interpolation of unsanitized user content, creating a direct path for code injection.

The vulnerability specifically affects the `happy-dom` package, a widely used headless browser implementation for testing and server-side rendering. The security advisory from the project maintainers indicates the flaw is present in versions prior to 20.8.8. The update to version 20.8.8, tagged with a `[SECURITY]` label, is now being pushed via automated dependency management tools like RenovateBot. The severity is underscored by the direct link between unsanitized input and the ability to execute arbitrary code on the host system.

This discovery places immediate pressure on development teams across the JavaScript and Node.js ecosystem to audit their dependency chains. Any project using `happy-dom` for testing, scraping, or server-side DOM manipulation is potentially at risk until the patch is applied. The use of automated tools highlights the scale of the response, but also the scale of the exposure. The flaw represents a significant supply-chain risk, where a single compromised library can propagate a critical security threat through countless downstream applications and services.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, nodejs, vulnerability, supply-chain, CVE-2026-33943
- **Credibility**: unverified
- **Published**: 2026-03-27 23:27:21
- **ID**: 38518
- **URL**: https://whisperx.ai/en/intel/38518