## Happy-DOM Security Alert: Critical Code Injection Flaw (CVE-2026-33943) Enables Remote Code Execution
A critical security vulnerability in the popular JavaScript testing library happy-dom has been disclosed, exposing projects to potential remote code execution (RCE) attacks. The flaw, tracked as CVE-2026-33943, resides in the library's `ECMAScriptModuleCompiler`. It allows an attacker to inject arbitrary JavaScript expressions within `export { }` declarations in ES module scripts processed by happy-dom. The vulnerability stems from the compiler's direct interpolation of unsanitized user content, creating a direct path for code injection.

The vulnerability specifically affects the `ECMAScriptModuleCompiler` component. When processing ES module scripts, the compiler fails to properly sanitize input within export declarations. This oversight enables malicious actors to craft payloads that are executed directly by the happy-dom environment. The GitHub security advisory confirms the flaw's severity, linking it to a potential RCE scenario, which is among the most severe classes of security threats for any software library.

The disclosure has triggered immediate patching efforts, with the library maintainers releasing version 20.8.9 to address the issue. The associated GitHub pull request, titled as a security update, shows a dependency bump from version 20.8.3 to 20.8.9. This patch is now critical for any development team or project relying on happy-dom for browser simulation and testing, as unpatched versions leave applications vulnerable to exploitation. The incident underscores the persistent security risks within foundational development tools and the rapid response required from maintainers and downstream users to mitigate such critical threats.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: cybersecurity, vulnerability, javascript, open-source, CVE-2026-33943
- **Credibility**: unverified
- **Published**: 2026-03-31 01:27:07
- **ID**: 42139
- **URL**: https://whisperx.ai/en/intel/42139