Skip to main content

linkify-it EUVDEUVD-2026-42321

| CVE-2026-59887 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-07-08 GitHub_M
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Untrusted text reaches the parser without auth or interaction (AV:N/AC:L/PR:N/UI:N); impact is CPU exhaustion only, so C:N/I:N and A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 18:02 EUVD
Analysis Generated
Jul 08, 2026 - 16:55 vuln.today

DescriptionCVE.org

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2.

AnalysisAI

Denial of service in linkify-it before 5.0.2 allows remote attackers to exhaust CPU by submitting crafted text containing many mailto: occurrences, each triggering the src_email_name email-name validator in lib/re.mjs to rescan the remaining input, yielding O(n^2) complexity. Any application that runs untrusted user text through linkify-it's .test() or .match() is affected; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the low complexity of the trigger makes availability disruption straightforward.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify endpoint that linkifies user text
Delivery
Craft input with many mailto: sequences
Exploit
Submit via API or form
Execution
Trigger O(n^2) src_email_name rescans
Persist
Exhaust CPU on parsing thread
Impact
Service degradation or denial

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target application pass attacker-controlled text through linkify-it's .test() or .match() and that the input contain 'mailto:' occurrences whose trailing characters feed the src_email_name email-name scan; the quadratic cost scales with input length, so an attacker needs the ability to submit sufficiently long untrusted strings. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are internally consistent for a denial-of-service issue but conflict with one supplied tag. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a comment, chat message, or markdown document containing many repeated 'mailto:' sequences followed by a long tail of email-name-like characters into an application that autolinks user text with linkify-it. Each mailto: occurrence forces src_email_name to rescan the remaining input, driving CPU to O(n^2) and stalling the request-handling thread, degrading or hanging the service for other users. …
Remediation Vendor-released patch: 5.0.2 - upgrade linkify-it to 5.0.2 or later, and rebuild/redeploy any dependents (such as markdown-it) so the transitive dependency resolves to the fixed version; the corresponding upstream fix is commit 105e5d77f7d119871d2b2d86ed208568eb3e7ffe and is documented in advisory GHSA-v245-v573-v5vm (https://github.com/markdown-it/linkify-it/security/advisories/GHSA-v245-v573-v5vm). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all systems using linkify-it and assess attack surface. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42321 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy