Critical RCE Flaw in Happy-DOM Node.js Module (CVE-2026-33943) Prompts Urgent Update

A severe code injection vulnerability in the popular `happy-dom` Node.js library has been disclosed, enabling attackers to achieve Remote Code Execution (RCE). The flaw, tracked as CVE-2026-33943, resides within the library's `ECMAScriptModuleCompiler` component. It allows an attacker to inject and execute arbitrary JavaScript expressions, posing a direct threat to any application or service that uses the vulnerable versions of this headless browser environment for testing or server-side rendering.

The security advisory, published by the project maintainers, details the vulnerability in the `ECMAScriptModuleCompiler`. The issue affects versions prior to 20.8.9. The automated dependency management tool Renovate has flagged the update from version 20.0.10 to 20.8.9 as a security priority. The update is critical, as successful exploitation could grant an attacker the ability to execute code on the host system with the same privileges as the running Node.js process, leading to potential data breaches, system compromise, or service disruption.

This disclosure triggers an urgent patching cycle for thousands of projects that rely on `happy-dom` for unit testing, component testing, or simulating a browser environment. Developers and security teams must immediately review their dependency trees and apply the update to version 20.8.9 or later. The presence of this high-severity RCE vector in a core testing utility underscores the persistent supply chain risks within the open-source ecosystem, where a single compromised dependency can cascade into widespread security incidents.