CVE-2026-41690
Prototype Pollution in 18next-http-middleware
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| i18next | i18next-http-middleware | to 3.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1321 | The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade the 18next-http-middleware package to version 3.9.3 or later, as versions prior to 3.9.3 are vulnerable.
Can you explain this vulnerability to me?
The vulnerability exists in versions of 18next-http-middleware prior to 3.9.3. It allows an unauthenticated HTTP client to manipulate the Object.prototype in the Node.js process running the middleware. This happens through two unvalidated entry points called getResourcesHandler and missingKeyHandler, which permit internal object-key writes. As a result, this can lead to broken authorization checks, type-confusion denial of service (DoS), and potentially remote code execution (RCE) depending on downstream code.
How can this vulnerability impact me? :
This vulnerability can have several serious impacts. It can break authorization checks, for example causing conditions like (user.isAdmin) to return true for any user, effectively bypassing access controls. It can also cause type-confusion denial of service (DoS), disrupting the availability of the application. Furthermore, depending on how downstream code handles the manipulated objects, this vulnerability can be chained into remote code execution (RCE), allowing attackers to execute arbitrary code on the server.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to manipulate Object.prototype in the Node.js process, potentially leading to authorization bypasses, denial of service, or remote code execution. Such security weaknesses can compromise the confidentiality, integrity, and availability of data handled by applications using the affected middleware.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the ability to bypass authorization and execute code remotely could lead to unauthorized access or data breaches, which are critical concerns under these regulations.
Therefore, if exploited, this vulnerability could negatively impact compliance with common security and privacy regulations by exposing sensitive data or disrupting service integrity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by identifying if your system is running a vulnerable version of the i18next-http-middleware package, specifically any version prior to 3.9.3.
Since the vulnerability involves unauthenticated HTTP clients sending specially crafted requests to the getResourcesHandler or missingKeyHandler endpoints, monitoring HTTP traffic for suspicious requests containing prototype pollution payloads targeting keys like __proto__, constructor, or prototype can help detect exploitation attempts.
There are no specific commands provided in the resources to detect this vulnerability directly. However, you can check the installed package version with a command like:
- npm list i18next-http-middleware
To monitor HTTP requests for suspicious payloads, you might use network capture tools (e.g., tcpdump, Wireshark) or web server logs to look for requests containing __proto__ or constructor keys in query parameters or request bodies.
Since no direct detection commands or scripts are provided, the recommended action is to upgrade to version 3.9.3 or later to mitigate the vulnerability.