CVE-2026-42353
Path Traversal in i18next-http-middleware
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| i18next | http-middleware | to 3.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
| CWE-22 | The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in i18next-http-middleware versions prior to 3.9.3. This middleware, used with Node.js web frameworks like express or Fastify, passes user-controlled 'lng' and 'ns' values directly into the backend connector without any sanitization. Because these values are not validated, an attacker can manipulate them to perform path traversal or server-side request forgery (SSRF) attacks depending on the backend configuration.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves the i18next-http-middleware passing user-controlled 'lng' and 'ns' parameters without sanitization, which can lead to path traversal or SSRF attacks depending on the backend configuration.
To detect this vulnerability on your system, you should check the version of i18next-http-middleware in use and verify if it is prior to version 3.9.3, as versions before this are vulnerable.
You can also monitor network traffic or logs for suspicious requests that include unusual or malicious values in the 'lng' or 'ns' parameters, such as path traversal sequences (e.g., '../') or unexpected URLs that could indicate SSRF attempts.
Suggested commands to check the installed version and scan for vulnerable versions include:
- Check the installed version in your Node.js project: `npm list i18next-http-middleware`
- Search for usage of 'lng' and 'ns' parameters in your codebase to identify potential unsanitized inputs: `grep -r "lng" ./` and `grep -r "ns" ./`
- Monitor HTTP requests for suspicious parameters using tools like tcpdump or Wireshark, for example: `tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E 'lng=|ns='`
- Review application logs for requests containing path traversal patterns or unexpected external URLs in 'lng' or 'ns' parameters.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to files or resources on the server through path traversal, or making the server perform unintended requests to internal or external systems via SSRF. The CVSS score of 8.2 indicates a high severity with potential for confidentiality impact and limited integrity impact, but no impact on availability.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade i18next-http-middleware to version 3.9.3 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how the vulnerability in i18next-http-middleware impacts compliance with common standards and regulations such as GDPR or HIPAA.