Skip to content

fix(security): bump linkify-it to 5.0.1 to fix CVE-2026-48801 (GHSA-22p9-wv53-3rq4)#4347

Open
kilo-code-bot[bot] wants to merge 1 commit into
mainfrom
security-remediation/linkify-it-ghsa-22p9-wv53-3rq4/5efc495222-1
Open

fix(security): bump linkify-it to 5.0.1 to fix CVE-2026-48801 (GHSA-22p9-wv53-3rq4)#4347
kilo-code-bot[bot] wants to merge 1 commit into
mainfrom
security-remediation/linkify-it-ghsa-22p9-wv53-3rq4/5efc495222-1

Conversation

@kilo-code-bot

@kilo-code-bot kilo-code-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps linkify-it from 5.0.0 to 5.0.1 in apps/web/package.json to remediate CVE-2026-48801 / GHSA-22p9-wv53-3rq4 — a quadratic algorithmic complexity (ReDoS-class) vulnerability in LinkifyIt#match.

The match() scan loop in linkify-it ≤ 5.0.0 is O(N²), allowing a crafted large input to cause a browser tab freeze. The 5.0.1 patch rewrites the loop to O(N).

Changes:

  • Bumped linkify-it to 5.0.1 in apps/web/package.json
  • Updated pnpm-lock.yaml accordingly
  • Added a 50,000-character input guard in TextWithLinks (MessageBubble.tsx) as defense-in-depth to bound worst-case render time independent of library version

Kilo Security Finding: https://app.kilo.ai/security-agent/findings?findingId=5efc4952-22ad-4223-88f7-4d24e122fb71

Verification

Manually verified that pnpm install resolves linkify-it@5.0.1 in the lockfile. The vulnerable linkify.match(text) call site in MessageBubble.tsx is guarded by the input length check before calling into the library.

Visual Changes

N/A

Reviewer Notes

The vulnerability is client-side only — MessageBubble.tsx is a 'use client' Next.js component, so execution occurs in the browser. An authenticated attacker sharing a session could post a large crafted message to freeze a victim's browser tab. No server-side DoS risk exists for this code path.

@kilo-code-bot

kilo-code-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

Routine dependency bump (linkify-it 5.0.0 -> 5.0.1) plus a defense-in-depth length guard in MessageBubble.tsx; no correctness, security, or performance issues found in the changed lines.

Files Reviewed (3 files)
  • apps/web/package.json
  • apps/web/src/components/cloud-agent-next/MessageBubble.tsx
  • pnpm-lock.yaml

Reviewed by claude-sonnet-5-20260630 · Input: 16 · Output: 3.2K · Cached: 308.2K

Review guidance: REVIEW.md from base branch main

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants