GHSA-MGCP-MFP8-3Q45

Vulnerability from github – Published: 2026-04-22 20:28 – Updated: 2026-04-22 20:28
VLAI?
Summary
i18next-locize-backend has URL Injection via Unsanitized Path Parameters
Details

Summary

Versions of i18next-locize-backend prior to 9.0.2 interpolate lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL.

Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites — _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding.

Impact

An attacker who can influence lng, ns, projectId, or version can:

  • Path traversallng = '../../admin' against https://api.locize.app/{{projectId}}/{{version}}/{{lng}}/{{ns}} changes the request URL path segment that reaches the locize CDN / API.
  • Query-string injectionlng = 'en?x=y' appends an attacker-chosen query to the URL.
  • Fragment truncationlng = 'en#x' silently truncates the path in browser fetches.
  • URL-encoded bypasslng = 'en%2F..' leverages server-side decoding to reintroduce /...

The worst-case concrete impact is loading an unintended translation resource (potentially causing wrong content to render) and, when a custom loadPath is configured against an internal / file-scheme URL, SSRF or arbitrary-file read on the host running the backend.

Additionally, the pre-patch interpolate() function read data[key] without excluding prototype-chain properties — under prototype-pollution conditions in the same process, that path could pull values from Object.prototype into the URL.

Related fixes shipped in 9.0.2

  • The defaults() helper replaces for...in iteration with Object.keys() plus an explicit prototype-key guard so a polluted Object.prototype cannot leak into the merged options object.
  • New utils.interpolateUrl / isSafeUrlSegment / sanitizeLogValue / redactUrlCredentials helpers mirror the pattern shipped in i18next-http-backend@3.0.5 (see its advisory GHSA-q89c-q3h5-w34g).

Affected versions

All versions of i18next-locize-backend prior to 9.0.2.

Patch

Fixed in 9.0.2. lib/index.js now uses interpolateUrl() at every URL-build site and returns an error callback (or silently drops the queued write for writePage) when any interpolated value fails the safety check. Legitimate i18next language-code shapes (BCP-47, en_US, zh-Hant-HK, my-custom.ns, +-joined multi-language values) all pass.

Workarounds

No workaround short of upgrading. If you cannot upgrade immediately, sanitise lng / ns / projectId / version at your application boundary before passing them through to i18next — reject values containing .., /, \, ?, #, %, whitespace, control characters, and cap the length.

Credits

Discovered via an internal security audit of the i18next / locize ecosystem.

References

Severity ?
6.5 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "i18next-locize-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "9.0.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-74"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T20:28:27Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Summary\n\nVersions of `i18next-locize-backend` prior to 9.0.2 interpolate `lng`, `ns`, `projectId`, and `version` directly into the configured `loadPath` / `privatePath` / `addPath` / `updatePath` / `getLanguagesPath` URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (`?lng=` / `?ns=` query parameters via `i18next-browser-languagedetector`, cookies, request headers, or a URL-derived `projectId`), a crafted value can change the structure of the outgoing request URL.\n\nAffected call sites in `lib/index.js` (pre-patch): the `interpolate()` helper is used at the five URL-build sites \u2014 `_readAny`/`read` (line 415 for private, 426 for public), `getLanguages` (lines 271 and 296), and `writePage` (lines 616 and 622) for the missing-key and update POST paths. The helper `interpolate` in `lib/utils.js` substitutes raw values with no encoding.\n\n### Impact\n\nAn attacker who can influence `lng`, `ns`, `projectId`, or `version` can:\n\n- **Path traversal** \u2014 `lng = \u0027../../admin\u0027` against `https://api.locize.app/{{projectId}}/{{version}}/{{lng}}/{{ns}}` changes the request URL path segment that reaches the locize CDN / API.\n- **Query-string injection** \u2014 `lng = \u0027en?x=y\u0027` appends an attacker-chosen query to the URL.\n- **Fragment truncation** \u2014 `lng = \u0027en#x\u0027` silently truncates the path in browser fetches.\n- **URL-encoded bypass** \u2014 `lng = \u0027en%2F..\u0027` leverages server-side decoding to reintroduce `/..`.\n\nThe worst-case concrete impact is loading an unintended translation resource (potentially causing wrong content to render) and, when a custom `loadPath` is configured against an internal / file-scheme URL, **SSRF or arbitrary-file read** on the host running the backend.\n\nAdditionally, the pre-patch `interpolate()` function read `data[key]` without excluding prototype-chain properties \u2014 under prototype-pollution conditions in the same process, that path could pull values from `Object.prototype` into the URL.\n\n### Related fixes shipped in 9.0.2\n\n- The `defaults()` helper replaces `for...in` iteration with `Object.keys()` plus an explicit prototype-key guard so a polluted `Object.prototype` cannot leak into the merged options object.\n- New `utils.interpolateUrl` / `isSafeUrlSegment` / `sanitizeLogValue` / `redactUrlCredentials` helpers mirror the pattern shipped in `i18next-http-backend@3.0.5` (see its advisory [GHSA-q89c-q3h5-w34g](https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g)).\n\n### Affected versions\n\nAll versions of `i18next-locize-backend` prior to **9.0.2**.\n\n### Patch\n\nFixed in **9.0.2**. `lib/index.js` now uses `interpolateUrl()` at every URL-build site and returns an error callback (or silently drops the queued write for `writePage`) when any interpolated value fails the safety check. Legitimate i18next language-code shapes (BCP-47, `en_US`, `zh-Hant-HK`, `my-custom.ns`, `+`-joined multi-language values) all pass.\n\n### Workarounds\n\nNo workaround short of upgrading. If you cannot upgrade immediately, sanitise `lng` / `ns` / `projectId` / `version` at your application boundary before passing them through to i18next \u2014 reject values containing `..`, `/`, `\\`, `?`, `#`, `%`, whitespace, control characters, and cap the length.\n\n### Credits\n\nDiscovered via an internal security audit of the i18next / locize ecosystem.\n\n### References\n\n- [CWE-22: Path Traversal](https://cwe.mitre.org/data/definitions/22.html)\n- [CWE-74: Injection](https://cwe.mitre.org/data/definitions/74.html)\n- [CWE-1321: Prototype Pollution (amplification path)](https://cwe.mitre.org/data/definitions/1321.html)\n- Related advisory in the same ecosystem: [GHSA-q89c-q3h5-w34g (i18next-http-backend)](https://github.com/i18next/i18next-http-backend/security/advisories/GHSA-q89c-q3h5-w34g)",
  "id": "GHSA-mgcp-mfp8-3q45",
  "modified": "2026-04-22T20:28:27Z",
  "published": "2026-04-22T20:28:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/locize/i18next-locize-backend/security/advisories/GHSA-mgcp-mfp8-3q45"
    },
    {
      "type": "WEB",
      "url": "https://github.com/locize/i18next-locize-backend/commit/8f81ad4707aa0e90647fde4da5fbe5b23153c6e1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/locize/i18next-locize-backend"
    },
    {
      "type": "WEB",
      "url": "https://github.com/locize/i18next-locize-backend/releases/tag/v9.0.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "i18next-locize-backend has URL Injection via Unsanitized Path Parameters"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.