CVE-2025-8101

HIGH

NPM Linkifyjs < 4.3.2 - Prototype Pollution

Title source: rule

Description

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2.

References (4)

[Various Sources] https://fluidattacks.com/advisories/charly

[Various Sources] https://www.npmjs.com/package/linkifyjs

[Release Notes] https://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2

[Various Sources] https://github.com/nfrasser/linkifyjs

View Writeup ZIP pw:eip

Scores

CVSS v4 8.8

EPSS 0.0017

EPSS Percentile 37.3%

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1321

Status published

Products (2)

Linkify/Linkify 4.3.1 - 4.3.2

npm/linkifyjs 0 - 4.3.2npm

Published Jul 25, 2025

Tracked Since Feb 18, 2026