CVE-2026-48714

June 15, 2026, 10:16 p.m.

9.1
Critical

Description

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. This issue has been fixed in version 3.9.7. If developers cannot upgrade immediately, they should do the following: do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), add a request-body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or prototype after splitting on their configured keySeparator, and disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input.

Product(s) Impacted

Vendor Product Versions
I18next
  • I18next-http-middleware
  • I18next-fs-backend
  • <3.9.7
  • <=2.6.5

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a i18next i18next-http-middleware <3.9.7 / / / / / / /
a i18next i18next-fs-backend <=2.6.5 / / / / / / /

References

https://github.com/i18next/i18next-http-middleware/commit/7c6d26f137d3e940b8d229ca148bca38845faf49
https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-f49m-vf83-692w

Tags

[email protected]
CWE-1321
2026-06-15
CVE-2026-48714

CVSS Score

9.1 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: NONE
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

    View Vector String

Timeline

Published: June 15, 2026, 10:16 p.m.
Last Modified: June 15, 2026, 10:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.