Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-22p9-wv53-3rq4 | LinkifyIt#match scan loop has quadratic algorithmic complexity |
Wed, 15 Jul 2026 18:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Markdown-it
Markdown-it linkify-it |
|
| Vendors & Products |
Markdown-it
Markdown-it linkify-it |
Wed, 15 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Tue, 14 Jul 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | linkify-it is a links recognition library with full Unicode support. Prior to 5.0.1, LinkifyIt.prototype.match, the package's primary public API, has O(N²) algorithmic complexity for inputs containing many fuzzy links or emails because the JavaScript-level scan loop re-slices input and re-runs unanchored regex searches on progressively shorter tails. Any service that synchronously renders untrusted Markdown with linkify:true on a request hot path can inherit a worker-process denial of service triggerable by a tens-of-KB request body. This issue is fixed in version 5.0.1. | |
| Title | linkify-it: Quadratic algorithmic complexity in LinkifyIt#match scan loop | |
| Weaknesses | CWE-1333 | |
| References |
| |
| Metrics |
cvssV4_0
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T12:56:15.250Z
Reserved: 2026-05-22T20:18:20.367Z
Link: CVE-2026-48801
Updated: 2026-07-15T12:55:56.140Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T18:30:15Z
Github GHSA