A significant security flaw has been discovered in Happy DOM, a popular JavaScript DOM implementation, affecting versions up to v19.
This vulnerability places systems at risk of Remote Code Execution (RCE) attacks, potentially impacting the package’s 2.7 million weekly users.
The flaw arises because the Node.js VM Context used by Happy DOM is not a completely isolated environment, which can allow untrusted code to escape and gain access to the underlying system’s functionalities.
The primary issue is that Happy DOM has JavaScript evaluation enabled by default, a detail that may not be apparent to all developers using the library.
This default configuration becomes a security risk when the environment executes untrusted code. An attacker can craft malicious JavaScript that traverses the constructor chain to access the process-level Function
constructor.
This allows them to execute code outside the intended sandboxed environment, leading to a full VM escape.
The type of module system in use CommonJS or ESM determines the extent of the attacker’s control. In a CommonJS environment, an attacker can access the require()
function, which allows them to load Node.js modules and perform unauthorized actions.
Potential Attack Scenarios
The implications of this vulnerability are far-reaching, especially for applications that use Server-Side Rendering (SSR) or testing frameworks that process external content.
An attacker could inject a malicious script into user-controlled HTML, which would then be executed on the server. Successful exploitation could lead to several damaging outcomes:
- Data Exfiltration: Gaining access to sensitive information like environment variables, configuration files, and other secrets.
- Lateral Movement: Using network access to connect to other internal systems. Although Happy DOM has some network protections, a compromised process could bypass them.
- Code Execution: Obtaining child process access to run arbitrary commands on the server.
- Persistence: Modifying the file system to maintain a long-term presence on the compromised system.
Mitigations
The developers of Happy DOM have released a patched version to address this vulnerability. Users are strongly advised to take immediate action to protect their systems.
The recommended course of action is to update to Happy DOM v20 or newer. This updated version disables JavaScript evaluation by default and includes a warning if it is enabled in what is considered an insecure environment.
For users who require JavaScript evaluation, it is crucial to run Node.js with the --disallow-code-generation-from-strings
flag.
This setting prevents the use of eval()
and Function()
at the process level, closing the loophole that allows for the VM escape.
If an immediate update is not feasible, developers should disable JavaScript evaluation manually unless the content being processed is from a completely trusted source.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Happy DOM Vulnerability Exposes 2.7 Million Users To Remote Code Execution Attacks appeared first on Cyber Security News.