Prototype Pollution Vulnerability in Linkify by Nfrasser
CVE-2025-8101

8.8HIGH

Key Information:

Vendor

Linkify

Status
Linkify
Vendor
CVE Published:
25 July 2025

What is CVE-2025-8101?

A vulnerability exists in Linkify that allows for improperly controlled modification of object prototype attributes, leading to potential cross-site scripting (XSS) attacks. This can occur through the manipulation of HTML attributes and user-controlled variables, which could expose users to significant security risks. This issue primarily affects versions of Linkify prior to 4.3.2, making it crucial for users to update to the latest release to mitigate any potential threats.

Affected Version(s)

Linkify 4.3.1 < 4.3.2

References

https://fluidattacks.com/advisories/charly
third-party-advisory
https://github.com/nfrasser/linkifyjs
product
https://www.npmjs.com/package/linkifyjs
product

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.