Happy DOM is a JavaScript implementation of a web browser without its graphical user interface
Description
Happy DOM is a JavaScript implementation of a web browser without its graphical user interface
Remediation
Apply vendor security updates immediately. Monitor for exploitation attempts and review access logs.
---METADATA---
VENDOR: Saloon
PRODUCT: Saloon (PHP Library)
AFFECTED_VERSIONS: Versions prior to 4.0.0
---END_METADATA---
Description Summary:
Saloon versions prior to 4.0.0 are vulnerable to PHP Object Injection via insecure use of unserialize() in the AccessTokenAuthenticator class, potentially leading to remote code execution.
Executive Summary:
The Saloon PHP library is vulnerable to a critical object injection flaw that can be leveraged to achieve remote code execution by providing malicious serialized OAuth token data.
Vulnerability Details
CVE-ID: CVE-2026-33942
Affected Software: Saloon
Affected Versions: Versions prior to 4.0.0
Vulnerability: The library used
unserialize()withallowed_classes => truein itsAccessTokenAuthenticatorclass. If an attacker can control the serialized string (e.g., via cache poisoning or file overwrites), they can inject a "gadget" object that triggers malicious code execution through PHP magic methods during instantiation.Business Impact
This vulnerability can lead to full remote code execution, especially in environments containing common PHP gadget chains like Monolog. The CVSS score of 9.8 reflects the high impact on confidentiality and integrity, as an attacker could gain complete control over the application's execution environment.
Remediation Plan
Immediate Action: Upgrade the Saloon library to version 4.0.0 or higher. This version removes the dangerous use of PHP serialization for token management.
Proactive Monitoring: Monitor for suspicious activity in application cache directories and review logs for PHP serialization errors or unexpected object types.
Compensating Controls: If upgrading is not immediately possible, ensure that the storage mechanism for OAuth tokens (e.g., Redis, file system) is strictly secured and inaccessible to untrusted users.
Exploitation Status
Public Exploit Available: false
Analyst Notes: As of Mar 26, 2026, there is no public information indicating active exploitation of this vulnerability. However, due to the nature of the flaw, the potential for exploitation is high.
Analyst Recommendation
PHP Object Injection remains a critical threat to modern applications. Users of the Saloon library should migrate to version 4.0.0 immediately to eliminate the use of
unserialize()and mitigate the risk of remote code execution.