diff --git a/src/match/url-match.ts b/src/match/url-match.ts
index 9a006998..f07a8c8f 100644
--- a/src/match/url-match.ts
+++ b/src/match/url-match.ts
@@ -170,6 +170,9 @@ export class UrlMatch extends Match {
     getAnchorHref() {
         let url = this.getUrl();
 
+        //Strip malicious Unicode SNYK-AUTOLINKER-2438289
+        url.replace('\u202E', '');
+
         return url.replace(/&/g, '&'); // any &'s in the URL should be converted back to '&' if they were displayed as & in the source html
     }
 
diff --git a/tests/autolinker-url.spec.ts b/tests/autolinker-url.spec.ts
index 440b5481..55e6cad6 100644
--- a/tests/autolinker-url.spec.ts
+++ b/tests/autolinker-url.spec.ts
@@ -1203,8 +1203,15 @@ describe('Autolinker Url Matching -', () => {
         );
     });
 
+    describe('unicode exploits', () => {
+        it('should strip out Right-To-Left Override Unicode characters for security', () => {
+            var result = autolinker.link('https://legit.ok/files\u202E4pm.asia');
+            expect(result).toBe('<a href="https://legit.ok/files4pm.asia"></a>');
+        });
+    });
+
     describe('combination example', () => {
-        it(`should automatically link all of the URLs of many different forms`, () => {
+        it('should automatically link all of the URLs of many different forms', () => {
             let inputStr = `
 				Joe went to http://yahoo.com and http://localhost today along with http://localhost:8000.
 				He also had a path on localhost: http://localhost:8000/abc, and a query string: http://localhost:8000?abc