Skip to content

fix(security): bump linkify-it to 5.0.1 (GHSA-22p9-wv53-3rq4)#4348

Open
kilo-code-bot[bot] wants to merge 1 commit into
mainfrom
security-remediation/linkify-it-ghsa-22p9-wv53-3rq4/907ef9e0b6-2
Open

fix(security): bump linkify-it to 5.0.1 (GHSA-22p9-wv53-3rq4)#4348
kilo-code-bot[bot] wants to merge 1 commit into
mainfrom
security-remediation/linkify-it-ghsa-22p9-wv53-3rq4/907ef9e0b6-2

Conversation

@kilo-code-bot

@kilo-code-bot kilo-code-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

Summary

Remediates CVE-2026-48801 / GHSA-22p9-wv53-3rq4: linkify-it ≤5.0.0 contains an O(N²) scan-loop in LinkifyIt#match that causes quadratic slowdown on long inputs.

Changes:

  • Bumped linkify-it from 5.0.05.0.1 in apps/web/package.json
  • Updated pnpm-lock.yaml with the patched package resolution and integrity hash
  • Added a MAX_LINKIFY_LENGTH = 50_000 input-length guard in MessageBubble.tsx before passing user content to linkify.match() as a defence-in-depth measure

The affected call site (MessageBubble.tsx:32) is a 'use client' component, so the server-side DoS scenario does not apply. The residual risk is a stored client-side DoS where an authenticated attacker sends an oversized message that stalls other users' browsers.

Kilo Security Finding: https://app.kilo.ai/security-agent/findings?findingId=907ef9e0-b634-4bd2-ac0e-128859ae7d40

Verification

  • Opened the chat message view in a browser; linkification of normal URLs continues to work
  • Confirmed oversized messages (>50 KB) render as plain text without freezing

Visual Changes

N/A

Reviewer Notes

The lockfile was updated manually (surgical edit) because pnpm install --no-frozen-lockfile runs out of memory in the sandbox environment. The integrity hash for linkify-it@5.0.1 was fetched from the npm registry (npm info linkify-it@5.0.1 dist.integrity). CI should re-verify this on install.

CVE-2026-48801: linkify-it <=5.0.0 has O(N²) scan-loop complexity that
can cause client-side DoS when processing large user-authored messages.

- Bump linkify-it 5.0.0 → 5.0.1 in apps/web/package.json
- Update pnpm-lock.yaml with patched package resolution
- Add MAX_LINKIFY_LENGTH guard in MessageBubble.tsx as defence-in-depth
@kilo-code-bot

kilo-code-bot Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

Code Review Summary

Status: No Issues Found | Recommendation: Merge

Executive Summary

Reviewed the linkify-it 5.0.1 bump and the new MAX_LINKIFY_LENGTH client-side length guard in MessageBubble.tsx; the truncation logic, fallback rendering, and loop bounds are correct, with high confidence.

Files Reviewed (3 files)
  • apps/web/package.json
  • apps/web/src/components/cloud-agent-next/MessageBubble.tsx
  • pnpm-lock.yaml (generated file, out of review scope)

Reviewed by claude-sonnet-5-20260630 · Input: 24 · Output: 8.8K · Cached: 514.6K

Review guidance: REVIEW.md from base branch main

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants