HIGH

GHSA-95jq-xph2-cx9h

Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)

상세

Prototype Pollution in internal `assign()` helper in Linkify allows remote attackers to execute arbitrary JavaScript (Stored or Reflected XSS) via injection of event handlers through unfiltered proto property. This issue affects Linkify version 4.3.1 and is fixed in 4.3.2.

이 버전이 영향받나요?

사용 중인 패키지 버전을 입력하면 즉시 평가합니다.

영향 패키지

npm / linkifyjs

최초 영향 버전: 4.3.1 수정 버전: 4.3.2

수정 npm install linkifyjs@4.3.2

참고

https://nvd.nist.gov/vuln/detail/CVE-2025-8101 [ADVISORY]
https://github.com/nfrasser/linkifyjs/commit/931d3e28b68951b8f898ea4d6504696346b485b0 [WEB]
https://caverav.cl/posts/linkify-xss/linkify-xss [WEB]
https://fluidattacks.com/advisories/charly [WEB]
https://github.com/nfrasser/linkifyjs [PACKAGE]
https://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2 [WEB]
https://www.npmjs.com/package/linkifyjs [WEB]