Description
Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2.
Recommendation
Update the linkifyjs package to the latest compatible version. Followings are version details:
- Affected version(s): < 4.3.2
- Patched version(s): 4.3.2
References
- GHSA-95jq-xph2-cx9h
- fluidattacks.com
- www.npmjs.com
- caverav.cl
- CVE-2025-8101
- CWE-1321
- CAPEC-310
- OWASP 2021-A6
Related Issues
- tarteaucitron.js allows prototype pollution via custom text injection - CVE-2025-31475
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 3 - CVE-2025-27597
- Vue I18n Allows Prototype Pollution in `handleFlatJson` (GHSA-p2ph-7g93-hw3m) 4 - CVE-2025-27597
- billboard.js allows prototype pollution via the function generate - CVE-2025-49223
- Tags:
- npm
- linkifyjs
Anything's wrong? Let us know Last updated on January 22, 2026