Listen to this Post
How the CVE Works
The vulnerability exists in the `getRequestHeaders()` function within FetchRequestHeaderUtility.ts. When a fetch request is made with credentials: "include", the function incorrectly uses the current page’s origin (window.location.href) to retrieve cookies from the cookie store. Instead of using the destination URL of the request, the code creates an `originURL` from the page’s URL. This `originURL` is then passed to cookieContainer.getCookies(), which returns all cookies associated with that page origin. This results in cookies from the page’s origin being attached to the request headers of a cross-origin request. The correct behavior is to use the request’s target URL (e.g., new URL(options.request[PropertySymbol.url])) for cookie selection. A Proof of Concept demonstrates this by setting a cookie on `a.127.0.0.1.nip.io` (page origin) and another on `b.127.0.0.1.nip.io` (target). When a fetch request with credentials is made from the first to the second, the request includes the `page_cookie` from origin A but not the `api_cookie` from target B, confirming the cookie source misidentification.
dailycve form:
Platform: happy-dom
Version: 20.6.1
Vulnerability: Cookie Origin Leak
Severity: Medium (CVSS 6.5)
date: 2026-03-30
Prediction: Expected next release
What Undercode Say:
Setup DNS resolution (using nip.io for local testing) export PAGE_HOST="a.127.0.0.1.nip.io" export API_HOST="b.127.0.0.1.nip.io" Run the Proof of Concept script node poc.js Expected output showing page_cookie is leaked
Exploit:
An attacker can host a malicious page on origin A that uses `fetch()` to send requests to origin B. If the user has cookies for origin A, these cookies will be included in the request to origin B, potentially exposing session tokens or sensitive authentication data. This bypasses the Same-Origin Policy for cookie transmission, allowing unauthorized cross-origin data leakage.
Protection from this CVE
Upgrade to a patched version of `happy-dom` where the cookie selection logic uses the request URL instead of the page origin. If immediate upgrade is not possible, avoid using `credentials: “include”` in fetch requests that target different origins, or implement a custom request wrapper that manually handles cookie headers.
Impact
Cross-origin sensitive information disclosure. Applications using `happy-dom` for server-side rendering, testing, or proxying that rely on authenticated fetch requests are vulnerable. This can lead to leakage of session cookies or authentication tokens from one origin to another, potentially enabling account takeover or unauthorized data access.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

