CVE-2026-48801

markdown-it · linkify-it

A regular expression denial of service vulnerability exists in the linkify-it library due to inefficient complexity.

Executive summary

The linkify-it library is vulnerable to a denial of service attack via inefficient regular expression processing, which can lead to application resource exhaustion.

Vulnerability

The library is susceptible to CWE-1333, which involves inefficient regular expression complexity. This vulnerability is unauthenticated and does not require user interaction to trigger.

Business impact

With a CVSS score of 8.7, this vulnerability presents a high risk for denial of service. Any application relying on this library to process user input is susceptible to resource exhaustion, which could lead to significant downtime for critical web services or platforms.

Remediation

Immediate Action: Update the linkify-it package to version 5.0.1 or later to implement the regex fix provided by the maintainers.

Proactive Monitoring: Monitor server CPU and memory utilization for sudden, unexplained spikes when processing user-submitted content.

Compensating Controls: Use a Web Application Firewall (WAF) to filter or limit the size and complexity of input strings being processed by the application.

Exploitation status

Public Exploit Available: No

Analyst recommendation

This vulnerability is highly actionable and easily mitigated through a library update. Organizations using linkify-it should update to version 5.0.1 or newer immediately to prevent potential denial of service attacks against their applications.