CVE-2025-8101: Linkify Allows Prototype Pollution & HTML Attribute Injection (XSS)

July 26, 2025 (updated July 29, 2025)

Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2.

References

fluidattacks.com/advisories/charly
github.com/advisories/GHSA-95jq-xph2-cx9h
github.com/nfrasser/linkifyjs
github.com/nfrasser/linkifyjs/releases/tag/v4.3.2
nvd.nist.gov/vuln/detail/CVE-2025-8101
www.npmjs.com/package/linkifyjs

Code Behaviors & Features

Detect and mitigate CVE-2025-8101 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →