CVE-2026-48801
markdown-it · linkify-it
A regular expression denial of service vulnerability exists in the linkify-it library due to inefficient complexity.
Executive summary
The linkify-it library is vulnerable to a denial of service attack via inefficient regular expression processing, which can lead to application resource exhaustion.
Vulnerability
The library is susceptible to CWE-1333, which involves inefficient regular expression complexity. This vulnerability is unauthenticated and does not require user interaction to trigger.
Business impact
With a CVSS score of 8.7, this vulnerability presents a high risk for denial of service. Any application relying on this library to process user input is susceptible to resource exhaustion, which could lead to significant downtime for critical web services or platforms.
Remediation
Immediate Action: Update the linkify-it package to version 5.0.1 or later to implement the regex fix provided by the maintainers.
Proactive Monitoring: Monitor server CPU and memory utilization for sudden, unexplained spikes when processing user-submitted content.
Compensating Controls: Use a Web Application Firewall (WAF) to filter or limit the size and complexity of input strings being processed by the application.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability is highly actionable and easily mitigated through a library update. Organizations using linkify-it should update to version 5.0.1 or newer immediately to prevent potential denial of service attacks against their applications.