EXECUTIVE SUMMARY:
CVE-2026-48801 with a CVSS score of 8.7 is a vulnerability in the linkify-it package, specifically in versions <= 5.0.0, where the LinkifyIt .prototype .match function has a quadratic algorithmic complexity, leading to a potential denial-of-service (DoS) attack. This vulnerability can be exploited by an attacker who sends a specially crafted request containing many fuzzy links or emails, causing the function to consume excessive CPU resources, with the attack vector being a malicious request body. To exploit this vulnerability, an attacker would need to have the ability to send requests to a service that uses the linkify-it package, such as a web application that renders Markdown with linkify enabled, and the capability gained by the attacker would be the ability to cause a denial-of-service, potentially leading to service disruption or even a complete system crash. The business impact and consequences of this vulnerability being exploited could be significant, including loss of productivity, reputational damage, and potential financial losses, and prerequisites for exploitation include the use of an affected version of the linkify-it package and a service that synchronously renders untrusted Markdown with linkify enabled on a request hot-path.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48801 with a CVSS score of 8.7 is a vulnerability in the linkify-it package, specifically in versions <= 5.0.0, where the LinkifyIt .prototype .match function has a quadratic algorithmic complexity, leading to a potential denial-of-service (DoS) attack. This vulnerability can be exploited by an attacker who sends a specially crafted request containing many fuzzy links or emails, causing the function to consume excessive CPU resources, with the attack vector being a malicious request body. To exploit this vulnerability, an attacker would need to have the ability to send requests to a service that uses the linkify-it package, such as a web application that renders Markdown with linkify enabled, and the capability gained by the attacker would be the ability to cause a denial-of-service, potentially leading to service disruption or even a complete system crash. The business impact and consequences of this vulnerability being exploited could be significant, including loss of productivity, reputational damage, and potential financial losses, and prerequisites for exploitation include the use of an affected version of the linkify-it package and a service that synchronously renders untrusted Markdown with linkify enabled on a request hot-path.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update linkify-it to version 5.0.1.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-22p9-wv53-3rq4