HIGH

GHSA-95jq-xph2-cx9h

Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)

Details

Prototype Pollution in internal `assign()` helper in Linkify allows remote attackers to execute arbitrary JavaScript (Stored or Reflected XSS) via injection of event handlers through unfiltered proto property. This issue affects Linkify version 4.3.1 and is fixed in 4.3.2.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / linkifyjs

Introduced in: 4.3.1 Fixed in: 4.3.2

Fix npm install linkifyjs@4.3.2

References

https://nvd.nist.gov/vuln/detail/CVE-2025-8101 [ADVISORY]
https://github.com/nfrasser/linkifyjs/commit/931d3e28b68951b8f898ea4d6504696346b485b0 [WEB]
https://caverav.cl/posts/linkify-xss/linkify-xss [WEB]
https://fluidattacks.com/advisories/charly [WEB]
https://github.com/nfrasser/linkifyjs [PACKAGE]
https://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2 [WEB]
https://www.npmjs.com/package/linkifyjs [WEB]