Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Untrusted text reaches the parser without auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is CPU exhaustion only, so C:N/I:N and A:H.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2.
AnalysisAI
Denial of service in linkify-it before 5.0.2 allows remote attackers to exhaust CPU by submitting crafted text containing many mailto: occurrences, each triggering the src_email_name email-name validator in lib/re.mjs to rescan the remaining input, yielding O(n^2) complexity. Any application that runs untrusted user text through linkify-it's .test() or .match() is affected; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the low complexity of the trigger makes availability disruption straightforward.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires only that the target application pass attacker-controlled text through linkify-it's .test() or .match() and that the input contain 'mailto:' occurrences whose trailing characters feed the src_email_name email-name scan; the quadratic cost scales with input length, so an attacker needs the ability to submit sufficiently long untrusted strings. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The signals are internally consistent for a denial-of-service issue but conflict with one supplied tag. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a comment, chat message, or markdown document containing many repeated 'mailto:' sequences followed by a long tail of email-name-like characters into an application that autolinks user text with linkify-it. Each mailto: occurrence forces src_email_name to rescan the remaining input, driving CPU to O(n^2) and stalling the request-handling thread, degrading or hanging the service for other users. … |
| Remediation | Vendor-released patch: 5.0.2 - upgrade linkify-it to 5.0.2 or later, and rebuild/redeploy any dependents (such as markdown-it) so the transitive dependency resolves to the fixed version; the corresponding upstream fix is commit 105e5d77f7d119871d2b2d86ed208568eb3e7ffe and is documented in advisory GHSA-v245-v573-v5vm (https://github.com/markdown-it/linkify-it/security/advisories/GHSA-v245-v573-v5vm). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all systems using linkify-it and assess attack surface. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-407 – Inefficient Algorithmic Complexity
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42321