GHSA-5FGG-JCPF-8JJW

Vulnerability from github – Published: 2026-04-22 17:40 – Updated: 2026-05-13 13:29
VLAI?
Summary
i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters
Details

Summary

Versions of i18next-http-middleware prior to 3.9.3 pass user-controlled lng and ns parameters to two internal paths that use them in ways that enable prototype pollution and, depending on the configured backend, path traversal or SSRF.

The vulnerable entry points are unauthenticated HTTP handlers that are part of the middleware's public API:

  • getResourcesHandler — reads lng/ns from query parameters or route params and passes them unvalidated to:
  • utils.setPath(resources, [lng, ns], ...) — the setPath helper did not guard against __proto__, constructor, or prototype keys, writing into Object.prototype when those values were supplied.
  • i18next.services.backendConnector.load(languages, namespaces, ...) — depending on the configured backend, unvalidated path segments enabled filesystem path traversal (e.g. with i18next-fs-backend) or SSRF (e.g. with i18next-http-backend).
  • A namespaces.forEach(ns => i18next.options.ns.push(ns)) loop additionally performed permanent, unbounded growth of the shared singleton namespace list.
  • missingKeyHandler — iterated the incoming request body with for...in, which traverses inherited prototype-chain properties. A POST body like {"__proto__": {"isAdmin": true}} was forwarded into saveMissing.

Impact

  • Prototype pollution — a single unauthenticated request of the form GET /locales/resources.json?lng=__proto__&ns=isAdmin writes into Object.prototype, affecting every plain object created subsequently in the Node.js process. This can break authorization checks (if (user.isAdmin)), cause denial of service via type confusion, or be chained into RCE depending on what downstream code reads from polluted objects.
  • Path traversal / SSRF — with filesystem or HTTP backends that interpolate lng/ns into paths or URLs, attacker-controlled values like ns=../../etc/passwd or lng=internal-service could reach resources outside the intended scope.
  • Denial of service — the unbounded i18next.options.ns growth, plus repeated backend load calls, enabled memory and CPU exhaustion from unique namespace payloads.

Affected versions

< 3.9.3.

Patch

Fixed in 3.9.3. The patch:

  1. Blocks __proto__, constructor, and prototype keys in utils.setPath.
  2. Replaces the for...in body iteration in missingKeyHandler with Object.keys() plus an explicit dangerous-keys guard.
  3. Introduces a utils.isSafeIdentifier helper (denylist approach — still permits any legitimate i18next language code shape) that filters lng/ns values for path-traversal, path separators, control characters, prototype keys, and over-long inputs before they reach the backend connector and before they are pushed into i18next.options.ns.

Workarounds

No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects requests containing __proto__, constructor, prototype, .., or control characters in lng/ns query parameters or body keys is a partial mitigation.

Credits

Discovered via an internal security audit of the i18next ecosystem.

Severity ?
8.6 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "i18next-http-middleware"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.9.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41690"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321",
      "CWE-22"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T17:40:47Z",
    "nvd_published_at": "2026-05-08T16:16:11Z",
    "severity": "HIGH"
  },
  "details": "### Summary\n\nVersions of `i18next-http-middleware` prior to 3.9.3 pass user-controlled `lng` and `ns` parameters to two internal paths that use them in ways that enable prototype pollution and, depending on the configured backend, path traversal or SSRF.\n\nThe vulnerable entry points are unauthenticated HTTP handlers that are part of the middleware\u0027s public API:\n\n- `getResourcesHandler` \u2014 reads `lng`/`ns` from query parameters or route params and passes them unvalidated to:\n  - `utils.setPath(resources, [lng, ns], ...)` \u2014 the `setPath` helper did not guard against `__proto__`, `constructor`, or `prototype` keys, writing into `Object.prototype` when those values were supplied.\n  - `i18next.services.backendConnector.load(languages, namespaces, ...)` \u2014 depending on the configured backend, unvalidated path segments enabled filesystem path traversal (e.g. with `i18next-fs-backend`) or SSRF (e.g. with `i18next-http-backend`).\n  - A `namespaces.forEach(ns =\u003e i18next.options.ns.push(ns))` loop additionally performed permanent, unbounded growth of the shared singleton namespace list.\n- `missingKeyHandler` \u2014 iterated the incoming request body with `for...in`, which traverses inherited prototype-chain properties. A POST body like `{\"__proto__\": {\"isAdmin\": true}}` was forwarded into `saveMissing`.\n\n### Impact\n\n- **Prototype pollution** \u2014 a single unauthenticated request of the form `GET /locales/resources.json?lng=__proto__\u0026ns=isAdmin` writes into `Object.prototype`, affecting every plain object created subsequently in the Node.js process. This can break authorization checks (`if (user.isAdmin)`), cause denial of service via type confusion, or be chained into RCE depending on what downstream code reads from polluted objects.\n- **Path traversal / SSRF** \u2014 with filesystem or HTTP backends that interpolate `lng`/`ns` into paths or URLs, attacker-controlled values like `ns=../../etc/passwd` or `lng=internal-service` could reach resources outside the intended scope.\n- **Denial of service** \u2014 the unbounded `i18next.options.ns` growth, plus repeated backend load calls, enabled memory and CPU exhaustion from unique namespace payloads.\n\n### Affected versions\n\n`\u003c 3.9.3`.\n\n### Patch\n\nFixed in **3.9.3**. The patch:\n\n1. Blocks `__proto__`, `constructor`, and `prototype` keys in `utils.setPath`.\n2. Replaces the `for...in` body iteration in `missingKeyHandler` with `Object.keys()` plus an explicit dangerous-keys guard.\n3. Introduces a `utils.isSafeIdentifier` helper (denylist approach \u2014 still permits any legitimate i18next language code shape) that filters `lng`/`ns` values for path-traversal, path separators, control characters, prototype keys, and over-long inputs before they reach the backend connector and before they are pushed into `i18next.options.ns`.\n\n### Workarounds\n\nNo workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects requests containing `__proto__`, `constructor`, `prototype`, `..`, or control characters in `lng`/`ns` query parameters or body keys is a partial mitigation.\n\n### Credits\n\nDiscovered via an internal security audit of the i18next ecosystem.",
  "id": "GHSA-5fgg-jcpf-8jjw",
  "modified": "2026-05-13T13:29:51Z",
  "published": "2026-04-22T17:40:47Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41690"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/i18next/i18next-http-middleware"
    },
    {
      "type": "WEB",
      "url": "https://www.i18next.com/how-to/faq#how-should-the-language-codes-be-formatted"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.