{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-8101", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "state": "PUBLISHED", "assignerShortName": "Fluid Attacks", "dateReserved": "2025-07-23T20:18:23.797Z", "datePublished": "2025-07-25T21:52:47.287Z", "dateUpdated": "2025-12-03T21:04:19.184Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected", "packageName": "linkifyjs", "product": "Linkify", "vendor": "Linkify", "versions": [{"lessThan": "4.3.2", "status": "affected", "version": "4.3.1", "versionType": "custom"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:linkify:linkify:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.3.2", "versionStartIncluding": "4.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.<p>This issue affects Linkify: from 4.3.1 before 4.3.2.</p>"}], "value": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2."}], "impacts": [{"capecId": "CAPEC-243", "descriptions": [{"lang": "en", "value": "CAPEC-243 XSS Targeting HTML Attributes"}]}, {"capecId": "CAPEC-77", "descriptions": [{"lang": "en", "value": "CAPEC-77 Manipulating User-Controlled Variables"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1321", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-12-03T21:04:19.184Z"}, "references": [{"tags": ["third-party-advisory"], "url": "https://fluidattacks.com/advisories/charly"}, {"tags": ["product"], "url": "https://github.com/nfrasser/linkifyjs"}, {"tags": ["product"], "url": "https://www.npmjs.com/package/linkifyjs"}, {"tags": ["patch"], "url": "https://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2"}], "source": {"discovery": "UNKNOWN"}, "title": "Linkify 4.3.1 - Prototype Pollution & HTML Attribute Injection (XSS)", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-28T14:56:25.596265Z", "id": "CVE-2025-8101", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T14:56:39.776Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-8101", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-28T14:56:25.596265Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-28T14:56:33.311Z"}}], "cna": {"title": "Linkify 4.3.1 - Prototype Pollution & HTML Attribute Injection (XSS)", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-243", "descriptions": [{"lang": "en", "value": "CAPEC-243 XSS Targeting HTML Attributes"}]}, {"capecId": "CAPEC-77", "descriptions": [{"lang": "en", "value": "CAPEC-77 Manipulating User-Controlled Variables"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Linkify", "product": "Linkify", "versions": [{"status": "affected", "version": "4.3.1", "lessThan": "4.3.2", "versionType": "custom"}], "packageName": "linkifyjs", "collectionURL": "https://registry.npmjs.org", "defaultStatus": "unaffected"}], "references": [{"url": "https://fluidattacks.com/advisories/charly", "tags": ["third-party-advisory"]}, {"url": "https://github.com/nfrasser/linkifyjs", "tags": ["product"]}, {"url": "https://www.npmjs.com/package/linkifyjs", "tags": ["product"]}, {"url": "https://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2", "tags": ["patch"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2.", "supportingMedia": [{"type": "text/html", "value": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.<p>This issue affects Linkify: from 4.3.1 before 4.3.2.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-1321", "description": "CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:linkify:linkify:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "4.3.2", "versionStartIncluding": "4.3.1"}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "shortName": "Fluid Attacks", "dateUpdated": "2025-12-03T21:04:19.184Z"}}}, "cveMetadata": {"cveId": "CVE-2025-8101", "state": "PUBLISHED", "dateUpdated": "2025-12-03T21:04:19.184Z", "dateReserved": "2025-07-23T20:18:23.797Z", "assignerOrgId": "84fe0718-d6bb-4716-a7e8-81a6d1daa869", "datePublished": "2025-07-25T21:52:47.287Z", "assignerShortName": "Fluid Attacks"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2."}, {"lang": "es", "value": "La vulnerabilidad de modificaci\u00f3n incorrectamente controlada de los atributos del prototipo de objeto ('Prototype Pollution') en Linkify (linkifyjs) permite que los XSS apunten a los atributos HTML y manipule las variables controladas por el usuario. Este problema afecta a Linkify: desde la versi\u00f3n 4.3.1 hasta la 4.3.2."}], "id": "CVE-2025-8101", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "help@fluidattacks.com", "type": "Secondary"}]}, "published": "2025-07-25T22:15:25.620", "references": [{"source": "help@fluidattacks.com", "url": "https://fluidattacks.com/advisories/charly"}, {"source": "help@fluidattacks.com", "url": "https://github.com/nfrasser/linkifyjs"}, {"source": "help@fluidattacks.com", "url": "https://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2"}, {"source": "help@fluidattacks.com", "url": "https://www.npmjs.com/package/linkifyjs"}], "sourceIdentifier": "help@fluidattacks.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1321"}], "source": "help@fluidattacks.com", "type": "Secondary"}]}

{"bugzilla": {"description": "linkifyjs: Linkify Prototype Pollution", "id": "2383589", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2383589"}, "csaw": false, "cvss3": {"cvss3_base_score": "8.6", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L", "status": "draft"}, "cwe": "CWE-1321", "details": ["Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') vulnerability in Linkify (linkifyjs) allows XSS Targeting HTML Attributes and Manipulating User-Controlled Variables.This issue affects Linkify: from 4.3.1 before 4.3.2.", "A prototype pollution vulnerability was found in Linkify. This vulnerability allows an attacker to inject HTML attributes and manipulate user-controlled variables."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2025-8101", "package_state": [{"cpe": "cpe:/a:redhat:serverless:1", "fix_state": "Not affected", "package_name": "openshift-serverless-1/kn-backstage-plugins-eventmesh-rhel8", "product_name": "OpenShift Serverless"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-hub-rhel9", "product_name": "Red Hat Developer Hub"}, {"cpe": "cpe:/a:redhat:rhdh:1", "fix_state": "Not affected", "package_name": "rhdh/rhdh-rhel9-operator", "product_name": "Red Hat Developer Hub"}], "public_date": "2025-07-25T21:52:47Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-8101\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-8101\nhttps://fluidattacks.com/advisories/charly\nhttps://github.com/nfrasser/linkifyjs\nhttps://github.com/nfrasser/linkifyjs/releases/tag/v4.3.2\nhttps://www.npmjs.com/package/linkifyjs"], "threat_severity": "Important"}

{"created": "2025-07-26T11:55:07.904665+00:00", "updated": "2025-07-26T11:55:07.904789+00:00", "vendors": ["linkify", "linkify$PRODUCT$linkify"]}