Happy-DOM Security Patch Fixes Cookie Forwarding Vulnerability (GHSA-w4gp-fjgq-3q4g)

A critical security vulnerability in the popular JavaScript testing library Happy-DOM has been patched, addressing a flaw that could have exposed user session data. The issue, tracked as GHSA-w4gp-fjgq-3q4g, involved the library incorrectly forwarding cookies from the current origin to the target origin during fetch requests. This behavior, if exploited, could have allowed unauthorized access to sensitive authentication tokens or session identifiers within testing environments that simulate cross-origin requests.

The patch was released in version 20.8.9 of Happy-DOM, a headless browser implementation used for unit testing web applications. The vulnerability was discovered and responsibly reported by GitHub user @r74tech, prompting maintainer @capricorn86 to issue a fix. The update is classified as a security advisory, indicating the potential severity of the flaw for developers relying on the library for accurate and secure testing simulations.

This incident underscores the persistent security risks within the sprawling JavaScript dependency ecosystem, where a single patch in a widely-used testing tool can have cascading implications. Developers are urged to immediately update their projects from happy-dom version 20.8.8 to 20.8.9 to mitigate the risk. The fix highlights the critical role of open-source security researchers in identifying and reporting such subtle yet impactful bugs in foundational development tools.