Happy-DOM Library Patches Critical RCE Vulnerability (CVE-2026-33943) in Module Compiler

A critical remote code execution (RCE) vulnerability has been patched in the popular `happy-dom` JavaScript testing library. The flaw, tracked as CVE-2026-33943, resides in the library's `ECMAScriptModuleCompiler`. It allows an attacker to inject arbitrary JavaScript expressions inside `export { }` declarations within ES module scripts processed by happy-dom. The vulnerability stems from the compiler directly interpolating unsanitized user content into generated code as an executable expression, creating a path for code injection.

The security advisory, published by the project maintainer, details that the vulnerability specifically affects the library's handling of ES module scripts. The `happy-dom` library is widely used as a headless browser for unit testing, simulating a DOM environment in Node.js. The flaw's severity is underscored by its potential for RCE, which could be exploited if an attacker can control the input to the vulnerable module compilation process, such as in testing pipelines that process external or user-influenced data.

The fix is included in version 20.8.8. The update, categorized as a 'minor' release, jumps from version 20.0.11, indicating the inclusion of important security patches. Developers relying on `happy-dom` are urged to immediately update their dependencies to the latest version to mitigate the risk. This incident highlights the persistent security challenges in foundational testing tools and the software supply chain, where a vulnerability in a common development dependency can have widespread implications.