Happy DOM Remote Code Execution Vulnerability

A remote code execution vulnerability exists in Happy DOM versions prior to 20.0.0. This issue arises because the Node.js VM Context used by Happy DOM is not isolated, allowing untrusted JavaScript code to escape the VM and access process-level functionality. The impact varies depending on whether the process uses ECMAScript Modules (ESM) or CommonJS; in CommonJS, the attacker can exploit the 'require()' function to import modules. By default, Happy DOM enables JavaScript evaluation, which can inadvertently expose users to risks if they execute untrusted code.

Impact

Exploitation of this vulnerability allows untrusted JavaScript code to escape the VM context and execute at the process level, potentially leading to remote code execution. In CommonJS environments, this could include importing modules such as 'fs' to access the file system.

Reproduction

The vulnerability can be reproduced by creating a new Window instance with JavaScript evaluation enabled, and then writing a script into the document that escapes the VM context. In CommonJS, this can be done by accessing the 'process' and 'require' objects, allowing for execution of arbitrary code or module imports. In ESM, while 'import' cannot be directly accessed, similar process-level information can be retrieved.

Remediation

Users are advised to update Happy DOM to version 20.0.0 or later, where JavaScript evaluation is disabled by default. If JavaScript evaluation is necessary, it is recommended to run Node.js with the '--disallow-code-generation-from-strings' flag to prevent exploitation.