Vulnerability-Lookup

CVE-2026-41693 (GCVE-0-2026-41693)

Vulnerability from cvelistv5 – Published: 2026-05-08 15:38 – Updated: 2026-05-08 15:38

Title

i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

Summary

i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value — containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string — allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.

Severity ?

8.2 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE

CWE-73 - External Control of File Name or Path
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Assigner

GitHub_M

References

URL

Tags

https://github.com/i18next/i18next-fs-backend/sec…

x_refsource_CONFIRM

Impacted products

	Vendor	Product	Version
	i18next	i18next-fs-backend	Affected: < 2.6.4

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "cna": {
      "affected": [
        {
          "product": "i18next-fs-backend",
          "vendor": "i18next",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.6.4"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value \u2014 containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string \u2014 allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-73",
              "description": "CWE-73: External Control of File Name or Path",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-22",
              "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-08T15:38:50.525Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj"
        }
      ],
      "source": {
        "advisory": "GHSA-8847-338w-5hcj",
        "discovery": "UNKNOWN"
      },
      "title": "i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-41693",
    "datePublished": "2026-05-08T15:38:50.525Z",
    "dateReserved": "2026-04-22T03:53:24.407Z",
    "dateUpdated": "2026-05-08T15:38:50.525Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-41693",
      "date": "2026-05-09",
      "epss": "0.0004",
      "percentile": "0.12007"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-41693\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-08T16:16:11.613\",\"lastModified\":\"2026-05-08T16:16:11.613\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value \u2014 containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string \u2014 allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-22\"},{\"lang\":\"en\",\"value\":\"CWE-73\"}]}],\"references\":[{\"url\":\"https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj\",\"source\":\"security-advisories@github.com\"}]}}"
  }
}

FKIE_CVE-2026-41693

Vulnerability from fkie_nvd - Published: 2026-05-08 16:16 - Updated: 2026-05-08 16:16

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

References

	URL	Tags
	security-advisories@github.com	https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value \u2014 containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string \u2014 allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4."
    }
  ],
  "id": "CVE-2026-41693",
  "lastModified": "2026-05-08T16:16:11.613",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-05-08T16:16:11.613",
  "references": [
    {
      "source": "security-advisories@github.com",
      "url": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-73"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}

GHSA-8847-338W-5HCJ

Vulnerability from github – Published: 2026-04-22 17:43 – Updated: 2026-04-30 20:16

Summary

i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite

Details

Summary

Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled input (?lng= query parameter, cookie, request header), a crafted value can break out of the intended locale directory.

Affected call sites in lib/index.js:

read (line 38 pre-patch): const filename = interpolate(loadPath, { lng: language, ns: namespace })
removeFile (line 101 pre-patch): same pattern against addPath
writeFile (line 127 pre-patch): same pattern against addPath for queued missing-key writes

The helper interpolate in lib/utils.js substitutes raw values with no encoding — unlike the addQueryString helper in i18next-http-backend, there is no equivalent safety for path interpolation.

Impact

Arbitrary file read. With a loadPath like /locales/{{lng}}/{{ns}}.json, an attacker-controlled lng = '../../etc' (and matching ns) causes the backend to read a file outside the locale directory. For parsers that tolerate arbitrary content (YAML's freeform text), the file contents surface as a translation resource.
Arbitrary file overwrite. addPath is interpolated the same way for missing-key writes (the create() code path and the debounced writer in writeFile). A traversing lng/ns combination can cause the process to write JSON structures to an unintended filesystem location, potentially overwriting application files if the process user has write access.
Chain with .js/.ts eval. i18next-fs-backend supports loading .js and .ts locale files by eval-ing their content (intentional feature, documented as requiring trusted sources). Combining traversal with that path — for example lng = '../../../app/config' against loadPath: '/locales/{{lng}}/{{ns}}.js' — would cause the backend to execute a server-side file as JavaScript, exfiltrating whatever it can touch (process.env, connected services).

Exploitation requires the application to pass an untrusted lng/ns value through to i18next.t() without its own validation. Many i18next setups do exactly this via i18next-browser-languagedetector (query string / cookie detection).

Affected versions

All versions of i18next-fs-backend prior to 2.6.4.

Patch

Fixed in 2.6.4. lib/utils.js now exports:

isSafePathSegment(v) — returns true only if v is a non-empty string of ≤ 128 chars that does not contain .., /, \, control characters, or a prototype key (__proto__, constructor, prototype). Legitimate i18next language-code shapes (BCP-47, en_US, zh-Hant-HK, pirate-speak, my-custom.ns, +-joined multi-language values) all pass.
interpolatePath(template, data) — substitutes variables like the existing interpolate but refuses the whole result if any segment fails isSafePathSegment. Callers bail out with an error (read) or silently drop the queued write (writeFile, removeFile).

The .js / .ts eval behaviour is intentionally retained — dynamic expressions in locale files are a documented feature of this backend, and safe replacements like dynamic import() are async-only and incompatible with this backend's sync-capable code path. The README has a new "Security considerations" section that spells out the trust model: .js/.ts locale files must be treated as code.

Workarounds

No workaround short of upgrading. If you cannot upgrade immediately, sanitise lng / ns at your application boundary before passing them to i18next — reject values containing .., /, \, control characters, and cap the length.

Credits

Discovered via an internal security audit of the i18next ecosystem.

Severity ?

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "i18next-fs-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41693"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-22",
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-22T17:43:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nVersions of `i18next-fs-backend` prior to 2.6.4 interpolate the caller-supplied `lng` and `ns` values directly into the configured `loadPath` and `addPath` templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled input (`?lng=` query parameter, cookie, request header), a crafted value can break out of the intended locale directory.\n\nAffected call sites in `lib/index.js`:\n\n- `read` (line 38 pre-patch): `const filename = interpolate(loadPath, { lng: language, ns: namespace })`\n- `removeFile` (line 101 pre-patch): same pattern against `addPath`\n- `writeFile` (line 127 pre-patch): same pattern against `addPath` for queued missing-key writes\n\nThe helper `interpolate` in `lib/utils.js` substitutes raw values with no encoding \u2014 unlike the `addQueryString` helper in `i18next-http-backend`, there is no equivalent safety for path interpolation.\n\n### Impact\n\n- **Arbitrary file read.** With a `loadPath` like `/locales/{{lng}}/{{ns}}.json`, an attacker-controlled `lng = \u0027../../etc\u0027` (and matching `ns`) causes the backend to read a file outside the locale directory. For parsers that tolerate arbitrary content (YAML\u0027s freeform text), the file contents surface as a translation resource.\n- **Arbitrary file overwrite.** `addPath` is interpolated the same way for missing-key writes (the `create()` code path and the debounced writer in `writeFile`). A traversing `lng`/`ns` combination can cause the process to write JSON structures to an unintended filesystem location, potentially overwriting application files if the process user has write access.\n- **Chain with `.js`/`.ts` eval.** `i18next-fs-backend` supports loading `.js` and `.ts` locale files by `eval`-ing their content (intentional feature, documented as requiring trusted sources). Combining traversal with that path \u2014 for example `lng = \u0027../../../app/config\u0027` against `loadPath: \u0027/locales/{{lng}}/{{ns}}.js\u0027` \u2014 would cause the backend to **execute** a server-side file as JavaScript, exfiltrating whatever it can touch (`process.env`, connected services).\n\nExploitation requires the application to pass an untrusted `lng`/`ns` value through to `i18next.t()` without its own validation. Many i18next setups do exactly this via `i18next-browser-languagedetector` (query string / cookie detection).\n\n### Affected versions\n\nAll versions of `i18next-fs-backend` prior to **2.6.4**.\n\n### Patch\n\nFixed in **2.6.4**. `lib/utils.js` now exports:\n\n- `isSafePathSegment(v)` \u2014 returns `true` only if `v` is a non-empty string of \u2264 128 chars that does not contain `..`, `/`, `\\`, control characters, or a prototype key (`__proto__`, `constructor`, `prototype`). Legitimate i18next language-code shapes (BCP-47, `en_US`, `zh-Hant-HK`, `pirate-speak`, `my-custom.ns`, `+`-joined multi-language values) all pass.\n- `interpolatePath(template, data)` \u2014 substitutes variables like the existing `interpolate` but refuses the whole result if any segment fails `isSafePathSegment`. Callers bail out with an error (`read`) or silently drop the queued write (`writeFile`, `removeFile`).\n\nThe `.js` / `.ts` `eval` behaviour is intentionally retained \u2014 dynamic expressions in locale files are a documented feature of this backend, and safe replacements like dynamic `import()` are async-only and incompatible with this backend\u0027s sync-capable code path. The README has a new \"Security considerations\" section that spells out the trust model: `.js`/`.ts` locale files must be treated as code.\n\n### Workarounds\n\nNo workaround short of upgrading. If you cannot upgrade immediately, sanitise `lng` / `ns` at your application boundary before passing them to i18next \u2014 reject values containing `..`, `/`, `\\`, control characters, and cap the length.\n\n### Credits\n\nDiscovered via an internal security audit of the i18next ecosystem.",
  "id": "GHSA-8847-338w-5hcj",
  "modified": "2026-04-30T20:16:09Z",
  "published": "2026-04-22T17:43:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/i18next/i18next-fs-backend"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-41693 (GCVE-0-2026-41693)

FKIE_CVE-2026-41693

GHSA-8847-338W-5HCJ

Summary

Impact

Affected versions

Patch

Workarounds

Credits

Tags

Sightings

Nomenclature