CVE-2026-42353
Received Received - Intake
Path Traversal in i18next-http-middleware

Publication date: 2026-05-08

Last updated on: 2026-05-08

Assigner: GitHub, Inc.

Description
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-08
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42353
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
i18next http-middleware to 3.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can have serious impacts including unauthorized access to files or resources on the server through path traversal, or making the server perform unintended requests to internal or external systems via SSRF. The CVSS score of 8.2 indicates a high severity with potential for confidentiality impact and limited integrity impact, but no impact on availability.

Mitigation Strategies

To mitigate this vulnerability, upgrade i18next-http-middleware to version 3.9.3 or later, where the issue has been patched.

Executive Summary

The vulnerability exists in i18next-http-middleware versions prior to 3.9.3. This middleware, used with Node.js web frameworks like express or Fastify, passes user-controlled 'lng' and 'ns' values directly into the backend connector without any sanitization. Because these values are not validated, an attacker can manipulate them to perform path traversal or server-side request forgery (SSRF) attacks depending on the backend configuration.

Detection Guidance

This vulnerability involves the i18next-http-middleware passing user-controlled 'lng' and 'ns' parameters without sanitization, which can lead to path traversal or SSRF attacks depending on the backend configuration.

To detect this vulnerability on your system, you should check the version of i18next-http-middleware in use and verify if it is prior to version 3.9.3, as versions before this are vulnerable.

You can also monitor network traffic or logs for suspicious requests that include unusual or malicious values in the 'lng' or 'ns' parameters, such as path traversal sequences (e.g., '../') or unexpected URLs that could indicate SSRF attempts.

Suggested commands to check the installed version and scan for vulnerable versions include:

  • Check the installed version in your Node.js project: `npm list i18next-http-middleware`
  • Search for usage of 'lng' and 'ns' parameters in your codebase to identify potential unsanitized inputs: `grep -r "lng" ./` and `grep -r "ns" ./`
  • Monitor HTTP requests for suspicious parameters using tools like tcpdump or Wireshark, for example: `tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -E 'lng=|ns='`
  • Review application logs for requests containing path traversal patterns or unexpected external URLs in 'lng' or 'ns' parameters.
Compliance Impact

The provided information does not specify how the vulnerability in i18next-http-middleware impacts compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42353. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart