CVE-2025-8101 Overview
CVE-2025-8101 is a prototype pollution vulnerability in Linkify (linkifyjs), a popular JavaScript library that detects URLs in plain text and converts them into clickable links. The flaw is classified as CWE-1321: Improperly Controlled Modification of Object Prototype Attributes. Attackers can manipulate object prototype attributes to inject malicious values into HTML attributes generated by the library, enabling cross-site scripting (XSS) and tampering with user-controlled variables. The issue affects Linkify versions from 4.3.1 before 4.3.2.
Critical Impact
Successful exploitation allows attackers to execute arbitrary JavaScript in victim browsers by polluting the global Object.prototype, leading to session hijacking, credential theft, and unauthorized actions in applications embedding Linkify.
Affected Products
- Linkify (linkifyjs) version 4.3.1
- All Linkify releases prior to 4.3.2
- Web applications and Node.js projects that import linkifyjs for URL detection and rendering
Discovery Timeline
- 2025-07-25 - CVE-2025-8101 published to the National Vulnerability Database (NVD)
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-8101
Vulnerability Analysis
The vulnerability resides in how linkifyjs merges configuration options and intermediate objects during URL parsing and HTML rendering. The library fails to validate property names when assigning values to internal objects. Attackers can supply input containing reserved keys such as __proto__, constructor, or prototype to inject properties onto Object.prototype. Once polluted, every object in the JavaScript runtime inherits the attacker-controlled values.
Linkify uses these merged options to construct HTML attributes for generated anchor tags. When polluted properties propagate into attribute rendering, attackers can inject arbitrary attribute names and values, including event handlers like onclick or onmouseover. This produces a stored or reflected XSS depending on how the host application processes user input.
Root Cause
The root cause is unsafe recursive property assignment without filtering reserved object keys. The library merges objects using direct property access rather than safe operations such as Object.create(null), Map, or guards that reject __proto__, constructor.prototype, and similar paths. Any function that walks user-controlled object keys and writes them to a target object without validation is susceptible.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction beyond loading a page that processes attacker-controlled text. An attacker submits crafted input containing prototype-pollution payloads to any application surface that passes data through linkifyjs. The polluted prototype then influences subsequent link rendering, injecting malicious HTML attributes that execute JavaScript in the victim's browser context. See the Fluid Attacks Advisory and the Linkify v4.3.2 release notes for additional technical context.
Detection Methods for CVE-2025-8101
Indicators of Compromise
- Presence of linkifyjs version 4.3.1 in package.json, package-lock.json, or yarn.lock dependency manifests
- HTTP request bodies or query parameters containing __proto__, constructor, or prototype keys directed at endpoints that process free-form text
- Unexpected HTML attributes such as onerror, onload, or onmouseover appearing in rendered anchor tags generated server-side or client-side
- Browser console errors referencing modified built-in object properties on pages that render user content through Linkify
Detection Strategies
- Run software composition analysis (SCA) tools against application repositories to flag vulnerable linkifyjs versions between 4.3.1 and 4.3.2
- Inspect application logs and web application firewall (WAF) telemetry for payloads containing prototype-pollution gadgets
- Add Content Security Policy (CSP) violation reporting to capture unexpected inline script execution attempts originating from rendered links
Monitoring Recommendations
- Monitor outbound requests from user browsers to untrusted domains immediately after pages render user-generated content
- Track anomalies in session token usage, particularly cookies accessed shortly after a user views content processed by linkifyjs
- Alert on changes to the npm dependency tree that pin or roll back linkifyjs to vulnerable versions during builds
How to Mitigate CVE-2025-8101
Immediate Actions Required
- Upgrade linkifyjs to version 4.3.2 or later across all production, staging, and development environments
- Audit application code for any custom integration that passes user-controlled objects directly into Linkify option arguments
- Apply server-side and client-side input validation to reject keys named __proto__, constructor, and prototype in JSON payloads
Patch Information
The Linkify maintainers addressed the prototype pollution issue in version 4.3.2. Install the fixed release from the npm registry using npm install linkifyjs@^4.3.2 or the equivalent command for your package manager. Review the v4.3.2 release on GitHub and the linkifyjs source repository to confirm the fix is present in the installed build.
Workarounds
- Wrap calls to linkifyjs so that input objects are sanitized through JSON.parse with a reviver that strips dangerous keys before they reach the library
- Enforce a strict Content Security Policy that disallows inline event handlers and inline scripts, reducing the impact of injected attributes
- Render Linkify output through a sanitizer such as DOMPurify configured to strip event-handler attributes before insertion into the DOM
# Configuration example
npm install linkifyjs@^4.3.2
npm audit --production
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
