Linkify It
Monthly
Denial of service in linkify-it before 5.0.2 allows remote attackers to exhaust CPU by submitting crafted text containing many mailto: occurrences, each triggering the src_email_name email-name validator in lib/re.mjs to rescan the remaining input, yielding O(n^2) complexity. Any application that runs untrusted user text through linkify-it's .test() or .match() is affected; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the low complexity of the trigger makes availability disruption straightforward.
Denial of service in linkify-it before 5.0.2 allows remote attackers to exhaust CPU by submitting crafted text containing many mailto: occurrences, each triggering the src_email_name email-name validator in lib/re.mjs to rescan the remaining input, yielding O(n^2) complexity. Any application that runs untrusted user text through linkify-it's .test() or .match() is affected; there is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the low complexity of the trigger makes availability disruption straightforward.