Skip to main content
CVE Vulnerability Database

CVE-2025-8101: Linkify (linkifyjs) XSS Vulnerability

CVE-2025-8101 is a prototype pollution vulnerability in Linkify (linkifyjs) that enables XSS attacks through HTML attribute manipulation. This article covers the technical details, affected versions 4.3.1-4.3.2, and mitigation.

Updated:

CVE-2025-8101 Overview

CVE-2025-8101 is a prototype pollution vulnerability in Linkify (linkifyjs), a popular JavaScript library that detects URLs in plain text and converts them into clickable links. The flaw is classified as CWE-1321: Improperly Controlled Modification of Object Prototype Attributes. Attackers can manipulate object prototype attributes to inject malicious values into HTML attributes generated by the library, enabling cross-site scripting (XSS) and tampering with user-controlled variables. The issue affects Linkify versions from 4.3.1 before 4.3.2.

Critical Impact

Successful exploitation allows attackers to execute arbitrary JavaScript in victim browsers by polluting the global Object.prototype, leading to session hijacking, credential theft, and unauthorized actions in applications embedding Linkify.

Affected Products

  • Linkify (linkifyjs) version 4.3.1
  • All Linkify releases prior to 4.3.2
  • Web applications and Node.js projects that import linkifyjs for URL detection and rendering

Discovery Timeline

  • 2025-07-25 - CVE-2025-8101 published to the National Vulnerability Database (NVD)
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-8101

Vulnerability Analysis

The vulnerability resides in how linkifyjs merges configuration options and intermediate objects during URL parsing and HTML rendering. The library fails to validate property names when assigning values to internal objects. Attackers can supply input containing reserved keys such as __proto__, constructor, or prototype to inject properties onto Object.prototype. Once polluted, every object in the JavaScript runtime inherits the attacker-controlled values.

Linkify uses these merged options to construct HTML attributes for generated anchor tags. When polluted properties propagate into attribute rendering, attackers can inject arbitrary attribute names and values, including event handlers like onclick or onmouseover. This produces a stored or reflected XSS depending on how the host application processes user input.

Root Cause

The root cause is unsafe recursive property assignment without filtering reserved object keys. The library merges objects using direct property access rather than safe operations such as Object.create(null), Map, or guards that reject __proto__, constructor.prototype, and similar paths. Any function that walks user-controlled object keys and writes them to a target object without validation is susceptible.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction beyond loading a page that processes attacker-controlled text. An attacker submits crafted input containing prototype-pollution payloads to any application surface that passes data through linkifyjs. The polluted prototype then influences subsequent link rendering, injecting malicious HTML attributes that execute JavaScript in the victim's browser context. See the Fluid Attacks Advisory and the Linkify v4.3.2 release notes for additional technical context.

Detection Methods for CVE-2025-8101

Indicators of Compromise

  • Presence of linkifyjs version 4.3.1 in package.json, package-lock.json, or yarn.lock dependency manifests
  • HTTP request bodies or query parameters containing __proto__, constructor, or prototype keys directed at endpoints that process free-form text
  • Unexpected HTML attributes such as onerror, onload, or onmouseover appearing in rendered anchor tags generated server-side or client-side
  • Browser console errors referencing modified built-in object properties on pages that render user content through Linkify

Detection Strategies

  • Run software composition analysis (SCA) tools against application repositories to flag vulnerable linkifyjs versions between 4.3.1 and 4.3.2
  • Inspect application logs and web application firewall (WAF) telemetry for payloads containing prototype-pollution gadgets
  • Add Content Security Policy (CSP) violation reporting to capture unexpected inline script execution attempts originating from rendered links

Monitoring Recommendations

  • Monitor outbound requests from user browsers to untrusted domains immediately after pages render user-generated content
  • Track anomalies in session token usage, particularly cookies accessed shortly after a user views content processed by linkifyjs
  • Alert on changes to the npm dependency tree that pin or roll back linkifyjs to vulnerable versions during builds

How to Mitigate CVE-2025-8101

Immediate Actions Required

  • Upgrade linkifyjs to version 4.3.2 or later across all production, staging, and development environments
  • Audit application code for any custom integration that passes user-controlled objects directly into Linkify option arguments
  • Apply server-side and client-side input validation to reject keys named __proto__, constructor, and prototype in JSON payloads

Patch Information

The Linkify maintainers addressed the prototype pollution issue in version 4.3.2. Install the fixed release from the npm registry using npm install linkifyjs@^4.3.2 or the equivalent command for your package manager. Review the v4.3.2 release on GitHub and the linkifyjs source repository to confirm the fix is present in the installed build.

Workarounds

  • Wrap calls to linkifyjs so that input objects are sanitized through JSON.parse with a reviver that strips dangerous keys before they reach the library
  • Enforce a strict Content Security Policy that disallows inline event handlers and inline scripts, reducing the impact of injected attributes
  • Render Linkify output through a sanitizer such as DOMPurify configured to strip event-handler attributes before insertion into the DOM
bash
# Configuration example
npm install linkifyjs@^4.3.2
npm audit --production

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.