[PR #161] [CLOSED] fix: upgrade linkifyjs to 4.3.2 (CVE-2025-8101) #3541

Closed
opened 2026-06-21 21:06:38 -05:00 by GiteaMirror · 0 comments
Owner

📋 Pull Request Information

Original PR: https://github.com/reconurge/flowsint/pull/161
Author: @orbisai0security
Created: 6/3/2026
Status: Closed

Base: mainHead: fix-cve-2025-8101-flowsint-app-yarn-lock


📝 Commits (1)

  • 53dd34e fix: upgrade linkifyjs to 4.3.2 (CVE-2025-8101)

📊 Changes

2 files changed (+2 additions, -1 deletions)

View changed files

📝 flowsint-app/package.json (+1 -0)
📝 yarn.lock (+1 -1)

📄 Description

Summary

Upgrade linkifyjs from 4.3.1 to 4.3.2 to fix CVE-2025-8101.

Vulnerability

Field Value
ID CVE-2025-8101
Severity HIGH
Scanner trivy
Rule CVE-2025-8101
File flowsint-app/yarn.lock
Assessment Likely exploitable

Description: linkifyjs: Linkify Prototype Pollution

Evidence

Scanner confirmation: trivy rule CVE-2025-8101 flagged this pattern.

Production code: This file is in the production codebase, not test-only code.

Threat Model Context

This is a Node.js library - vulnerabilities affect downstream consumers who use this package.

Changes

  • flowsint-app/package.json
  • yarn.lock

Verification

  • Build passes
  • Scanner re-scan confirms fix
  • LLM code review passed

This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.


Automated security fix by OrbisAI Security


🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.

## 📋 Pull Request Information **Original PR:** https://github.com/reconurge/flowsint/pull/161 **Author:** [@orbisai0security](https://github.com/orbisai0security) **Created:** 6/3/2026 **Status:** ❌ Closed **Base:** `main` ← **Head:** `fix-cve-2025-8101-flowsint-app-yarn-lock` --- ### 📝 Commits (1) - [`53dd34e`](https://github.com/reconurge/flowsint/commit/53dd34e45c87f0b54367fe0357def7e8df2fff42) fix: upgrade linkifyjs to 4.3.2 (CVE-2025-8101) ### 📊 Changes **2 files changed** (+2 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `flowsint-app/package.json` (+1 -0) 📝 `yarn.lock` (+1 -1) </details> ### 📄 Description ## Summary Upgrade linkifyjs from 4.3.1 to 4.3.2 to fix CVE-2025-8101. ## Vulnerability | Field | Value | |-------|-------| | **ID** | CVE-2025-8101 | | **Severity** | HIGH | | **Scanner** | trivy | | **Rule** | `CVE-2025-8101` | | **File** | `flowsint-app/yarn.lock` | | **Assessment** | Likely exploitable | **Description**: linkifyjs: Linkify Prototype Pollution ## Evidence **Scanner confirmation**: trivy rule `CVE-2025-8101` flagged this pattern. **Production code**: This file is in the production codebase, not test-only code. ## Threat Model Context This is a Node.js library - vulnerabilities affect downstream consumers who use this package. ## Changes - `flowsint-app/package.json` - `yarn.lock` ## Verification - [x] Build passes - [x] Scanner re-scan confirms fix - [x] LLM code review passed --- *This change addresses a pattern flagged by static analysis. The code path handles user-influenced input and the fix reduces the attack surface against both manual and automated exploitation.* --- *Automated security fix by [OrbisAI Security](https://orbisappsec.com)* --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>
GiteaMirror added the pull-request label 2026-06-21 21:06:39 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/flowsint#3541