CVE-2024-51757: 
JavaScript vulnerability analysis and mitigation

CVE-2024-51757 affects happy-dom, a JavaScript implementation of a web browser without its graphical user interface. The vulnerability was discovered and disclosed on November 6, 2024, affecting versions prior to 15.10.2. The vulnerability allows for arbitrary code execution on the host system via a script tag, which executes code in the user context of happy-dom (NVD, GitHub Advisory).

The vulnerability stems from insufficient input validation in the handling of script tags. Specifically, it was possible to inject server-side scripts into the 'src' attribute of a script tag. Since happy-dom uses child_process.execFileSync() to perform synchronous fetches, attackers could escape from the URL string to execute arbitrary commands. The vulnerability has been assigned a CVSS v4.0 score of 9.3 (CRITICAL) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (NVD).

When exploited, this vulnerability allows attackers to execute arbitrary code in the user context of happy-dom on the host system. This could potentially lead to unauthorized access, data breaches, or system compromise depending on the context in which happy-dom is being used (GitHub Advisory).

Users are advised to upgrade to version 15.10.2 which contains the security fix. The patch prevents code injection by properly handling URL strings in script tags. There are no known workarounds for this vulnerability other than upgrading to the patched version (GitHub Release).