## Security Alert: Happy-DOM Library Patches Critical RCE Vulnerability (CVE-2026-33943)
A critical security vulnerability in the popular `happy-dom` JavaScript testing library has been patched, exposing projects to potential remote code execution (RCE) attacks. The flaw, tracked as CVE-2026-33943, resides in the library's `ECMAScriptModuleCompiler`. It allows an attacker to inject arbitrary JavaScript code by exploiting unsanitized content within `export { }` declarations of ES module scripts. The vulnerability is severe because the compiler directly interpolates this malicious input into generated code as an executable expression, creating a direct path for code execution.

The issue was addressed in version 20.8.9 of the `happy-dom` package. The update, classified as a minor release, moves from version 20.0.11. The vulnerability's presence triggered a GitHub security advisory (GHSA-6q6h-j7hj-3r64), and the project's OpenSSF security scorecard is now publicly visible. This is not a theoretical risk; the advisory summary explicitly states the mechanism allows an attacker to achieve RCE, making it a high-priority fix for any development team using this dependency in their testing or build pipeline.

The patch is now available via standard dependency management tools. Developers must immediately update their `devDependencies` to `happy-dom@20.8.9` or later to mitigate the risk. This incident underscores the persistent threat within the software supply chain, where a single, widely-used development tool can become a vector for serious compromise. The rapid response and clear advisory are positive, but the onus is on maintainers of downstream projects to apply this critical security update without delay.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, open-source, software-supply-chain, javascript
- **Credibility**: unverified
- **Published**: 2026-03-30 01:26:57
- **ID**: 40216
- **URL**: https://whisperx.ai/en/intel/40216