CVE-2026-59887
Received Received - Intake

ReDoS via mailto: Schema in linkify-it

Vulnerability report for CVE-2026-59887, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

linkify-it is a links recognition library with full Unicode support. Prior to 5.0.2, the mailto: schema validator used by .test() and .match() can be invoked at every mailto: occurrence and scan the remaining input through src_email_name in lib/re.mjs, causing O(n^2) CPU consumption on crafted user text. This issue is fixed in version 5.0.2.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-09
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
markdown-it linkify-it to 5.0.2 (exc)
markdown-it linkify-it 5.0.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-59887 is a Denial of Service (DoS) vulnerability in the linkify-it library, which is used for recognizing links with full Unicode support. The issue occurs in versions 5.0.1 and earlier, where the mailto: schema validator repeatedly scans the remaining input for each mailto: occurrence using a regex that causes quadratic time complexity (O(nΒ²)) on crafted inputs.

Specifically, the validator performs an O(n) slice and a greedy regex match on the entire remaining string for every mailto: prefix, which leads to excessive CPU consumption when processing attacker-controlled input containing many mailto: strings.

This vulnerability can be triggered by submitting inputs with many repeated mailto: prefixes, causing the event loop to block for several seconds or longer, effectively causing a denial of service.

Impact Analysis

The primary impact of this vulnerability is a denial of service due to high CPU consumption caused by the inefficient mailto: validator.

  • An attacker can craft input with many mailto: prefixes (e.g., 220 KB of repeated mailto:) that causes the event loop to hang for several seconds or longer.
  • This can lead to availability issues in applications that use linkify-it with linkify mode enabled, such as comment sections, chat applications, forums, and note-taking apps that render user-provided markdown.
  • The denial of service can degrade user experience or cause service outages by blocking the event loop.
Detection Guidance

This vulnerability can be detected by identifying if your system or application uses the linkify-it library version 5.0.1 or earlier, especially in contexts where user input is processed with the .test() or .match() methods involving mailto: links.

Detection can also involve monitoring for unusually high CPU usage or event loop blocking when processing inputs containing many repeated "mailto:" strings, which may indicate exploitation attempts.

Specific commands to detect the vulnerability are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to upgrade the linkify-it library to version 5.0.2 or later, where the vulnerability has been fixed.

The fix involves bounding the length of the email local-part to 64 characters and limiting the scanning behavior to avoid O(nΒ²) CPU consumption.

If upgrading immediately is not possible, consider disabling or restricting the use of linkify-it's mailto: schema validation or avoiding processing untrusted user input with the vulnerable methods.

Compliance Impact

CVE-2026-59887 is a denial-of-service (DoS) vulnerability that primarily impacts availability by causing the event loop to block for several seconds or longer when processing crafted inputs. This can affect systems that rely on markdown-it's linkify mode for rendering user-provided markdown, such as comment sections, chat applications, forums, and note-taking apps.

While the vulnerability does not directly involve confidentiality or integrity breaches, the resulting availability issues could indirectly impact compliance with standards like GDPR or HIPAA if critical services become unavailable or unresponsive, potentially affecting the timely processing or access to personal or sensitive data.

However, there is no explicit information in the provided context or resources linking this vulnerability to specific compliance violations or regulatory impacts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-59887. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart