CVE-2026-34226
Cookie Leakage via Improper Credentials Handling in Happy DOM
Publication date: 2026-03-27
Last updated on: 2026-04-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| capricorn86 | happy_dom | to 20.8.9 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-201 | The code transmits data to another actor, but a portion of the data includes sensitive information that should not be accessible to that actor. |
| CWE-359 | The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the information or (2) do not have the implicit consent of the person about whom the information is collected. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Happy DOM, a JavaScript implementation of a web browser without a graphical user interface. In versions prior to 20.8.9, when the fetch API is used with the option { credentials: "include" }, the code may incorrectly attach cookies from the current page origin (window.location) instead of the intended request target URL. This behavior can cause cookies from one origin (origin A) to be sent to a different destination (destination B), leading to unintended cookie leakage.
How can this vulnerability impact me? :
The vulnerability can lead to the leakage of cookies from one origin to another. This means sensitive session or authentication cookies intended for one website could be exposed to a different site, potentially allowing attackers to hijack sessions or gain unauthorized access to user data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade Happy DOM to version 20.8.9 or later, as this version fixes the issue where cookies from the current page origin could be leaked when using fetch with credentials set to "include".
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability in Happy DOM may cause cookies from one origin to be leaked to another origin when using fetch with credentials included. Such unintended cookie leakage can lead to unauthorized exposure of personal or sensitive information.
Since regulations like GDPR and HIPAA require strict controls on personal data confidentiality and integrity, this vulnerability could potentially result in non-compliance if sensitive user data is exposed due to cookie leakage.
Therefore, affected versions prior to 20.8.9 might pose a risk to compliance with these standards until the issue is fixed by upgrading to version 20.8.9 or later.