Skip to content

Commit aa07cbb

Browse files
1 parent 2f1c53f commit aa07cbb

2 files changed

Lines changed: 130 additions & 0 deletions

File tree

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2933-q333-qg83",
4+
"modified": "2026-06-25T17:28:46Z",
5+
"published": "2026-06-25T17:28:46Z",
6+
"aliases": [
7+
"CVE-2026-48713"
8+
],
9+
"summary": "i18next-fs-backend vulnerable to prototype pollution via crafted missing-key string",
10+
"details": "### Impact\n\n`i18next-fs-backend` ≤ 2.6.5, when used to persist missing translation keys (e.g. via `i18next-http-middleware`'s `missingKeyHandler` exposed to untrusted input), is vulnerable to prototype pollution via crafted missing-key strings.\n\n`Backend.writeFile()` splits each queued missing-key string on the configured `keySeparator` (default `.`) before calling the internal `setPath()` walker. The walker (`getLastOfPath` in `lib/utils.js`) did not guard against unsafe segments, so a key like `\"__proto__.polluted\"` was split into `[\"__proto__\", \"polluted\"]` and walked straight into `Object.prototype`, allowing an attacker to write arbitrary properties onto the global object prototype.\n\nDepending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.\n\n### Affected configuration\n\nApplications are directly affected only if **all** of the following hold:\n\n- `i18next-fs-backend` ≤ 2.6.5 is configured as the backend.\n- `i18next-http-middleware`'s `missingKeyHandler` (or another route that forwards untrusted request bodies to `i18next.t(..., { ... })` with `saveMissing: true`) is reachable by untrusted users.\n- The default behaviour of splitting missing-key strings on `keySeparator` is in use (i.e. `keySeparator` is not `false`).\n\nApps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path.\n\n### Patches\n\nFixed in **i18next-fs-backend 2.6.6**. The traversal helper now refuses to descend through `__proto__`, `constructor`, or `prototype` segments and drops the offending write silently. Legitimate dotted keys (e.g. `\"header.title\"`) are unaffected.\n\nA matching defence-in-depth fix has been shipped in `i18next-http-middleware` **3.9.7** — see the companion advisory.\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- Do not expose `i18next-http-middleware`'s `missingKeyHandler` to untrusted users (mount it behind authentication, or remove the route).\n- Disable missing-key persistence (`saveMissing: false`, or no `backend.create` implementation) when accepting writes from untrusted input.\n- Set `keySeparator: false` in the i18next options to disable backend key splitting (note: this also disables nested translation keys).\n\n### Resources\n\n- Original report by [@codeswhite](https://github.com/codeswhite).\n- Companion advisory in `i18next-http-middleware`: [GHSA-f49m-vf83-692w](https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-f49m-vf83-692w).\n- Previous `i18next-fs-backend` security release: GHSA-8847-338w-5hcj (path traversal via `lng`/`ns`, fixed in 2.6.4).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "i18next-fs-backend"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.6.6"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-2933-q333-qg83"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48713"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/i18next/i18next-fs-backend/commit/3ab0448087da6935a40117f904b7457281f963f4"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/i18next/i18next-fs-backend"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-1321"
59+
],
60+
"severity": "CRITICAL",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-06-25T17:28:46Z",
63+
"nvd_published_at": "2026-06-15T22:16:17Z"
64+
}
65+
}
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-f49m-vf83-692w",
4+
"modified": "2026-06-25T17:28:12Z",
5+
"published": "2026-06-25T17:28:12Z",
6+
"aliases": [
7+
"CVE-2026-48714"
8+
],
9+
"summary": "i18next-http-middleware: MissingKeyHandler does not reject keys whose segments contain prototype-polluting names",
10+
"details": "### Impact\n\n`i18next-http-middleware` ≤ 3.9.6's `missingKeyHandler` blocked the literal request-body keys `__proto__`, `constructor`, and `prototype` (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as `\"__proto__.polluted\"`. Downstream backends that split the missing-key string on a configured `keySeparator` (notably `i18next-fs-backend` ≤ 2.6.5) hand these keys to an unguarded `setPath()` walker that writes to `Object.prototype`.\n\nApplications that expose `missingKeyHandler` to untrusted input **AND** use `i18next-fs-backend` ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected.\n\nDepending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.\n\n### Patches\n\nFixed in **i18next-http-middleware 3.9.7**. A new `utils.hasUnsafeKeySegment(key, keySeparator)` helper is now used by `missingKeyHandler`; the configured `i18next.options.keySeparator` is honoured (default `.`; `false` disables segment splitting and only the literal-key denylist applies). Legitimate dotted keys (e.g. `\"header.title\"`) are unaffected.\n\nThe root-cause fix has been shipped in `i18next-fs-backend` **2.6.6** — see the companion advisory.\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- Do not expose `missingKeyHandler` to untrusted users (mount it behind authentication, or remove the route).\n- Add a request-body filter ahead of the handler that rejects any top-level key containing `__proto__`, `constructor`, or `prototype` after splitting on a configured `keySeparator`.\n- Disable missing-key persistence (`saveMissing: false`) when accepting writes from untrusted input.\n\n### Resources\n\n- Original report by [@codeswhite](https://github.com/codeswhite).\n- Companion advisory in `i18next-fs-backend`: [GHSA-2933-q333-qg83](https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-2933-q333-qg83).\n- Previous `i18next-http-middleware` security release: GHSA-5fgg-jcpf-8jjw and GHSA-c3h8-g69v-pjrg (in 3.9.3).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "i18next-http-middleware"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "3.9.7"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-f49m-vf83-692w"
42+
},
43+
{
44+
"type": "ADVISORY",
45+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48714"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/i18next/i18next-http-middleware/commit/7c6d26f137d3e940b8d229ca148bca38845faf49"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/i18next/i18next-http-middleware"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-1321"
59+
],
60+
"severity": "CRITICAL",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-06-25T17:28:12Z",
63+
"nvd_published_at": "2026-06-15T22:16:17Z"
64+
}
65+
}

0 commit comments

Comments
 (0)