## Happy-Dom Node.js Library Patches Critical RCE Vulnerability (CVE-2026-33943) A critical remote code execution (RCE) vulnerability has been patched in the popular Node.js library happy-dom, a key component for simulating a browser environment in testing frameworks. The flaw, tracked as CVE-2026-33943, resides in the library's `ECMAScriptModuleCompiler`. It allows an attacker to inject arbitrary JavaScript expressions inside `export { }` declarations within ES module scripts processed by happy-dom. The vulnerability stems from the compiler directly interpolating unsanitized user content into generated code as an executable expression, bypassing intended security filters. The vulnerability specifically affects the `ECMAScriptModuleCompiler` component. When processing ES module scripts, the compiler fails to properly sanitize input within export declarations. This allows malicious code to be injected and executed in the context of the Node.js process running happy-dom. The flaw's severity is underscored by its assignment of a CVE identifier and a dedicated GitHub Security Advisory (GHSA-6q6h-j7hj-3r64). The maintainers have released version 20.8.9 to address this security issue, marking an update from the previous 20.7.0 release. The patch is being distributed via automated dependency management tools like RenovateBot, which has flagged the update as a security priority. Developers using happy-dom as a devDependency must immediately update to version 20.8.9 or later to mitigate the RCE risk. This vulnerability highlights the persistent security challenges in tooling that parses and executes dynamic code, even within testing environments traditionally considered lower risk. Failure to update leaves development and CI/CD pipelines open to potential compromise through maliciously crafted test scripts or dependencies. --- - **Source**: GitHub Issues - **Sector**: The Lab - **Tags**: cybersecurity, nodejs, vulnerability, open-source, CVE-2026-33943 - **Credibility**: unverified - **Published**: 2026-03-29 21:26:56 - **ID**: 40043 - **URL**: https://whisperx.ai/en/intel/40043