Happy DOM Cookie Leakage Vulnerability in Fetch Requests with Credentials

A vulnerability in Happy DOM versions prior to 20.8.9 allows for the unintended leakage of cookies between different origins. When using the Fetch API with credentials included, the library may attach cookies from the current page origin instead of the intended request target URL. This flaw can result in cookies being sent from one origin to another, potentially leading to unauthorized access or data exposure.

Impact

Exploitation of this vulnerability causes cross-origin cookie leakage, where cookies from the page origin are incorrectly sent to the request target, violating expected cookie handling in cross-origin requests.

Reproduction

To reproduce this vulnerability, set a cookie on the page origin (e.g., 'page_cookie=PAGE_ONLY') and another cookie on the target origin (e.g., 'api_cookie=API_ONLY'). Then, make a fetch request from the page origin to the target origin with credentials included. The request will incorrectly include the page origin cookie instead of the target origin cookie, demonstrating the vulnerability.

Remediation

Users can upgrade to Happy DOM version 20.8.9 or later, where this vulnerability has been fixed.