Vulnerability-Lookup

GHSA-2933-Q333-QG83

Vulnerability from github – Published: 2026-06-25 17:28 – Updated: 2026-06-25 17:28

Summary

i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string

Details

Impact

i18next-fs-backend ≤ 2.6.5, when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input), is vulnerable to prototype pollution via crafted missing-key strings.

Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype.

Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.

Affected configuration

Applications are directly affected only if all of the following hold:

i18next-fs-backend ≤ 2.6.5 is configured as the backend.
i18next-http-middleware's missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users.
The default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false).

Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path.

Patches

Fixed in i18next-fs-backend 2.6.6. The traversal helper now refuses to descend through __proto__, constructor, or prototype segments and drops the offending write silently. Legitimate dotted keys (e.g. "header.title") are unaffected.

A matching defence-in-depth fix has been shipped in i18next-http-middleware 3.9.7 — see the companion advisory.

Workarounds

If users cannot upgrade immediately:

Do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route).
Disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input.
Set keySeparator: false in the i18next options to disable backend key splitting (note: this also disables nested translation keys).

Resources

Original report by @codeswhite.
Companion advisory in i18next-http-middleware: GHSA-f49m-vf83-692w.
Previous i18next-fs-backend security release: GHSA-8847-338w-5hcj (path traversal via lng/ns, fixed in 2.6.4).

Severity

9.1 (Critical)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "i18next-fs-backend"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-48713"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1321"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-25T17:28:46Z",
    "nvd_published_at": "2026-06-15T22:16:17Z",
    "severity": "CRITICAL"
  },
  "details": "### Impact\n\n`i18next-fs-backend` \u2264 2.6.5, when used to persist missing translation keys (e.g. via `i18next-http-middleware`\u0027s `missingKeyHandler` exposed to untrusted input), is vulnerable to prototype pollution via crafted missing-key strings.\n\n`Backend.writeFile()` splits each queued missing-key string on the configured `keySeparator` (default `.`) before calling the internal `setPath()` walker. The walker (`getLastOfPath` in `lib/utils.js`) did not guard against unsafe segments, so a key like `\"__proto__.polluted\"` was split into `[\"__proto__\", \"polluted\"]` and walked straight into `Object.prototype`, allowing an attacker to write arbitrary properties onto the global object prototype.\n\nDepending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.\n\n### Affected configuration\n\nApplications are directly affected only if **all** of the following hold:\n\n- `i18next-fs-backend` \u2264 2.6.5 is configured as the backend.\n- `i18next-http-middleware`\u0027s `missingKeyHandler` (or another route that forwards untrusted request bodies to `i18next.t(..., { ... })` with `saveMissing: true`) is reachable by untrusted users.\n- The default behaviour of splitting missing-key strings on `keySeparator` is in use (i.e. `keySeparator` is not `false`).\n\nApps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path.\n\n### Patches\n\nFixed in **i18next-fs-backend 2.6.6**. The traversal helper now refuses to descend through `__proto__`, `constructor`, or `prototype` segments and drops the offending write silently. Legitimate dotted keys (e.g. `\"header.title\"`) are unaffected.\n\nA matching defence-in-depth fix has been shipped in `i18next-http-middleware` **3.9.7** \u2014 see the companion advisory.\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- Do not expose `i18next-http-middleware`\u0027s `missingKeyHandler` to untrusted users (mount it behind authentication, or remove the route).\n- Disable missing-key persistence (`saveMissing: false`, or no `backend.create` implementation) when accepting writes from untrusted input.\n- Set `keySeparator: false` in the i18next options to disable backend key splitting (note: this also disables nested translation keys).\n\n### Resources\n\n- Original report by [@codeswhite](https://github.com/codeswhite).\n- Companion advisory in `i18next-http-middleware`: [GHSA-f49m-vf83-692w](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-f49m-vf83-692w).\n- Previous `i18next-fs-backend` security release: GHSA-8847-338w-5hcj (path traversal via `lng`/`ns`, fixed in 2.6.4).",
  "id": "GHSA-2933-q333-qg83",
  "modified": "2026-06-25T17:28:46Z",
  "published": "2026-06-25T17:28:46Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-2933-q333-qg83"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48713"
    },
    {
      "type": "WEB",
      "url": "https://github.com/i18next/i18next-fs-backend/commit/3ab0448087da6935a40117f904b7457281f963f4"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/i18next/i18next-fs-backend"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string"
}

CVE-2026-48713 (GCVE-0-2026-48713)

Vulnerability from cvelistv5 – Published: 2026-06-15 20:31 – Updated: 2026-06-16 12:49

Title

i18next-fs-backend: Prototype pollution via crafted missing-key string

Summary

Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys).

Severity

9.1 (Critical)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Assigner

GitHub_M

References

2 references

URL	Tags
https://github.com/i18next/i18next-fs-backend/sec…	x_refsource_CONFIRM
https://github.com/i18next/i18next-fs-backend/com…	x_refsource_MISC

Impacted products

1 product

Vendor	Product	Version
i18next	i18next-fs-backend	Affected: < 2.6.6

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-48713",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-16T12:49:11.525388Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-16T12:49:24.673Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "i18next-fs-backend",
          "vendor": "i18next",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 2.6.6"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware\u0027s missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like \"__proto__.polluted\" was split into [\"__proto__\", \"polluted\"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware\u0027s missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys)."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.1,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1321",
              "description": "CWE-1321: Improperly Controlled Modification of Object Prototype Attributes (\u0027Prototype Pollution\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-15T20:31:53.929Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-2933-q333-qg83",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-2933-q333-qg83"
        },
        {
          "name": "https://github.com/i18next/i18next-fs-backend/commit/3ab0448087da6935a40117f904b7457281f963f4",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/i18next/i18next-fs-backend/commit/3ab0448087da6935a40117f904b7457281f963f4"
        }
      ],
      "source": {
        "advisory": "GHSA-2933-q333-qg83",
        "discovery": "UNKNOWN"
      },
      "title": "i18next-fs-backend: Prototype pollution via crafted missing-key string"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-48713",
    "datePublished": "2026-06-15T20:31:53.929Z",
    "dateReserved": "2026-05-22T18:47:27.755Z",
    "dateUpdated": "2026-06-16T12:49:24.673Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted