CVE-2026-59887 in linkify-itinfo

Summary

by MITRE • 07/08/2026

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/08/2026

The linkify-it library serves as a comprehensive links recognition utility that supports full Unicode character sets, making it essential for processing internationalized text content across various web applications and platforms. This JavaScript library processes input text to identify and extract various types of links including URLs, email addresses, and other recognizable patterns. The vulnerability affects versions prior to 5.0.2 where the mailto: schema validator demonstrates a critical performance flaw that can be exploited through carefully crafted user input.

The technical flaw resides in how the library handles mailto: email address validation during the .test() and .match() operations. When processing text containing mailto: links, the validator invokes a function called src_email_name in the lib/re.mjs file which scans the remainder of the input string. This scanning behavior creates a quadratic time complexity pattern where the CPU consumption grows exponentially with input size. The vulnerability specifically manifests when malicious users provide crafted text containing multiple mailto: occurrences that trigger the validation routine, causing the library to perform redundant and increasingly expensive operations as the input length increases.

This performance degradation represents a significant operational impact that can be exploited for denial-of-service attacks against applications relying on linkify-it. Attackers can craft specially designed strings that cause the library to consume excessive CPU resources, potentially leading to application slowdowns or complete service unavailability. The O(n^2) complexity means that even relatively small inputs can trigger substantial processing overhead, making this vulnerability particularly dangerous in environments where user input is processed without proper rate limiting or resource constraints.

The fix implemented in version 5.0.2 addresses this issue by optimizing the mailto: schema validation logic to prevent the excessive scanning behavior that caused the quadratic complexity. This update ensures that the library maintains efficient processing times regardless of input size, protecting applications from potential denial-of-service scenarios. Organizations using linkify-it should immediately upgrade to version 5.0.2 or later to mitigate this vulnerability. The CWE community recognizes similar issues under CWE-1321 which addresses inefficient algorithms leading to excessive resource consumption, while the ATT&CK framework would categorize this as a resource exhaustion technique that can be used in initial access and persistence phases of cyber attacks.

The vulnerability demonstrates the importance of careful algorithm design when processing user input, particularly in libraries that handle text parsing and pattern matching. Security practitioners should implement proper input validation and sanitization measures while also monitoring for performance anomalies in applications that utilize text processing libraries. Regular security updates and dependency management practices become crucial in preventing exploitation of such vulnerabilities that can impact the stability and availability of web applications relying on third-party text processing utilities.

Responsible

GitHub M

Reservation

07/07/2026

Disclosure

07/08/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!