CVE-2025-8101HIGHCVSS 0.0

Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)

Published Jul 26, 2025·Updated Jun 26, 2026

Description

Prototype Pollution in internal `assign()` helper in Linkify allows remote attackers to execute arbitrary JavaScript (Stored or Reflected XSS) via injection of event handlers through unfiltered proto property. This issue affects Linkify version 4.3.1 and is fixed in 4.3.2.

Affected Packages (1)

linkifyjsNPM
Fixed in 4.3.2

References

View on NVD Search GitHub Search Google

Get alerted for CVEs like this

Register your stack and get notified within minutes when a matching CVE drops.

Start monitoring free