Happy DOM Remote Code Execution Vulnerability in ECMAScript Module Compiler
Vulnerability
A remote code execution vulnerability has been identified in Happy DOM versions 15.10.0 prior to 20.8.7. The issue arises in the ECMAScript Module Compiler, where unsanitized export names in 'export { }' declarations are interpolated as executable code. This vulnerability allows an attacker to inject arbitrary JavaScript that is executed, potentially leading to unauthorized command execution on the host system. The flaw is exploitable when JavaScript evaluation is enabled, either by default or through user action.
Impact
Exploitation of this vulnerability allows for arbitrary command execution on the host system.
Reproduction
The vulnerability can be reproduced by injecting unsanitized export names into an ES module script processed by Happy DOM. This can be done by creating a script that exports a require statement, such as 'require(`child_process`).execSync(`id`)', which exploits the vulnerability by executing the injected code via the exported module.
Remediation
Users can upgrade to Happy DOM version 20.8.8 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.