CVE-2026-41885
Received Received - Intake
Path Traversal in i18next-locize-backend

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites β€” _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-41885
EUVD
EUVD-2026-28795
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
locize i18next-locize-backend to 9.0.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in i18next-locize-backend versions prior to 9.0.2. This backend interpolates certain parameters (lng, ns, projectId, and version) directly into URL templates used for loading and updating localization data without validating or encoding these values. If an attacker can control these parameters through user input such as query parameters, cookies, or headers, they can manipulate the structure of the outgoing request URL. This can lead to unexpected behavior or potential security issues.

Impact Analysis

This vulnerability can allow an attacker to craft malicious input that alters the URL structure used by the application to fetch or update localization data. This may lead to information disclosure or manipulation of requests, potentially impacting the confidentiality and integrity of the application data. The CVSS score of 6.5 indicates a medium severity with network attack vector, low attack complexity, no privileges required, and no user interaction needed.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade the i18next-locize-backend package to version 9.0.2 or later, where the issue has been patched.

Detection Guidance

This vulnerability can be detected by identifying if your system is running a version of the i18next-locize-backend npm package prior to 9.0.2, which is known to interpolate user-controlled values into URL templates without validation or encoding.

To detect exploitation attempts on your network or system, you can monitor outgoing requests for unusual or malformed URL paths or query parameters that include unexpected or crafted values in lng, ns, projectId, or version fields.

Since the vulnerability involves URL manipulation, you can use network monitoring tools or web server logs to look for suspicious URL patterns that may indicate path traversal or URL injection attempts.

  • Check the installed package version with: npm list i18next-locize-backend
  • Search your codebase for usage of i18next-locize-backend and inspect if user inputs are passed unsanitized to loadPath, privatePath, addPath, updatePath, or getLanguagesPath.
  • Use network capture tools like tcpdump or Wireshark to filter HTTP requests containing suspicious query parameters such as '?lng=', '?ns=', or other parameters related to i18next-locize-backend.
  • Example command to search logs for suspicious URL parameters: grep -E '\?(lng|ns|projectId|version)=' /var/log/nginx/access.log
  • Monitor application logs for errors or unexpected behavior related to translation resource loading.
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41885. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart