GHSA-22p9-wv53-3rq4: LinkifyIt#match scan loop has quadratic algorithmic complexity
The LinkifyIt package's primary API function, match(), exhibits O(N²) algorithmic complexity when processing inputs with many fuzzy links or emails. This inefficiency stems from a structural issue in the scan loop that repeatedly slices the input string and runs unanchored regex searches on progressively shorter substrings. This behavior causes significant CPU consumption, leading to denial-of-service conditions when rendering untrusted Markdown with linkify enabled in services such as markdown-it. The vulnerability affects all versions prior to 5.0.1.
AI Analysis
Technical Summary
LinkifyIt.prototype.match has a quadratic time complexity due to its scan loop design. Each iteration slices the input tail and performs multiple unanchored regex searches, resulting in O(N²) processing time for inputs with many fuzzy links or emails. This inefficiency propagates to markdown-it when linkify:true is enabled, causing synchronous rendering of large inputs to block worker threads for seconds or longer. The vulnerability has existed since the initial commit and affects all versions before 5.0.1. The recommended fix is to refactor the loop to use stateful regex iteration with the 'g' flag to achieve linear time complexity.
Potential Impact
This vulnerability primarily impacts availability by enabling a denial-of-service condition. A single HTTP request containing tens of kilobytes of repeated email-like strings can block a worker thread for several seconds to tens of seconds. Under moderate concurrent load, this can wedge the entire rendering tier of affected services. There is no impact on confidentiality or integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The suggested remediation is an algorithmic fix converting the outer scan loop to stateful regex iteration with the 'g' flag to ensure linear time complexity. Until a patch is available, consider disabling linkify or avoiding rendering untrusted Markdown with linkify enabled on request hot-paths to mitigate denial-of-service risks.
GHSA-22p9-wv53-3rq4: LinkifyIt#match scan loop has quadratic algorithmic complexity
Description
The LinkifyIt package's primary API function, match(), exhibits O(N²) algorithmic complexity when processing inputs with many fuzzy links or emails. This inefficiency stems from a structural issue in the scan loop that repeatedly slices the input string and runs unanchored regex searches on progressively shorter substrings. This behavior causes significant CPU consumption, leading to denial-of-service conditions when rendering untrusted Markdown with linkify enabled in services such as markdown-it. The vulnerability affects all versions prior to 5.0.1.
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
LinkifyIt.prototype.match has a quadratic time complexity due to its scan loop design. Each iteration slices the input tail and performs multiple unanchored regex searches, resulting in O(N²) processing time for inputs with many fuzzy links or emails. This inefficiency propagates to markdown-it when linkify:true is enabled, causing synchronous rendering of large inputs to block worker threads for seconds or longer. The vulnerability has existed since the initial commit and affects all versions before 5.0.1. The recommended fix is to refactor the loop to use stateful regex iteration with the 'g' flag to achieve linear time complexity.
Potential Impact
This vulnerability primarily impacts availability by enabling a denial-of-service condition. A single HTTP request containing tens of kilobytes of repeated email-like strings can block a worker thread for several seconds to tens of seconds. Under moderate concurrent load, this can wedge the entire rendering tier of affected services. There is no impact on confidentiality or integrity.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. The suggested remediation is an algorithmic fix converting the outer scan loop to stateful regex iteration with the 'g' flag to ensure linear time complexity. Until a patch is available, consider disabling linkify or avoiding rendering untrusted Markdown with linkify enabled on request hot-paths to mitigate denial-of-service risks.
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-22p9-wv53-3rq4
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48801"]
- Ecosystems
- ["npm"]
- Database Specific Severity
- HIGH
- Cvss Version
- 4.0
Threat ID: 6a3ef76a27e9c79719fee800
Added to database: 06/26/2026, 22:04:26 UTC
Last enriched: 06/26/2026, 22:08:00 UTC
Last updated: 06/26/2026, 22:08:00 UTC
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.