Skip to main content

Linkify It

1 CVEs product

Monthly

CVE-2026-59887 HIGH PATCH This Week

Denial of service in linkify-it before 5.0.2 allows remote attackers to exhaust CPU by submitting crafted text containing many mailto: occurrences, each triggering the src_email_name email-name validator in lib/re.mjs to rescan the remaining input, yielding O(n^2) complexity. Any application that runs untrusted user text through linkify-it's .test() or .match() is affected; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the low complexity of the trigger makes availability disruption straightforward.

Information Disclosure Linkify It
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.3%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service in linkify-it before 5.0.2 allows remote attackers to exhaust CPU by submitting crafted text containing many mailto: occurrences, each triggering the src_email_name email-name validator in lib/re.mjs to rescan the remaining input, yielding O(n^2) complexity. Any application that runs untrusted user text through linkify-it's .test() or .match() is affected; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the low complexity of the trigger makes availability disruption straightforward.

Information Disclosure Linkify It
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy