CVE-2026-48713
Undergoing Analysis Undergoing Analysis - In Progress

Prototype Pollution in i18next Backend

Vulnerability report for CVE-2026-48713, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys).

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
i18next http-middleware to 2.6.6 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability affects versions of i18next-http-middleware prior to 2.6.6 and is a prototype pollution issue. It occurs when crafted missing-key strings are used to persist missing translation keys. The backend.writeFile() function splits these keys on a configured separator and then calls an internal function that does not properly guard against unsafe segments. This allows an attacker to inject keys like "__proto__.polluted" which modifies the global Object prototype. As a result, arbitrary properties can be written onto the global object prototype.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Impact Analysis

The impact of this vulnerability depends on the host application. Polluted prototype properties can cause application crashes, corrupted translation behavior, configuration poisoning, or bypasses of property-based security checks. Applications are only affected if the missingKeyHandler or similar routes that accept untrusted input and save missing keys are exposed to untrusted users and the default key splitting behavior is enabled.

Mitigation Strategies

To mitigate this vulnerability immediately, you should take the following precautions if you cannot upgrade to version 2.6.6:

  • Do not expose i18next-http-middleware's missingKeyHandler to untrusted users; mount it behind authentication or remove the route.
  • Disable missing-key persistence by setting saveMissing to false or by not implementing backend.create when accepting writes from untrusted input.
  • Set keySeparator to false in your i18next options to disable backend key splitting, noting that this also disables nested translation keys.
Detection Guidance

Detection of this vulnerability involves identifying if your system is running a vulnerable version of the i18next-fs-backend package (prior to 2.6.6) and if the i18next-http-middleware's missingKeyHandler is exposed to untrusted input with saveMissing enabled and the default keySeparator behavior active.

To detect potential exploitation attempts, you can monitor incoming requests to the missingKeyHandler endpoint for suspicious missing-key strings containing prototype pollution payloads such as '__proto__.polluted' or similar crafted keys.

Example commands to help detect such attempts might include:

  • Using network traffic inspection tools (e.g., tcpdump, Wireshark) to filter HTTP requests containing '__proto__' in the payload or URL.
  • Using grep or similar tools on server logs to search for suspicious keys: grep -r '__proto__' /path/to/logs
  • Checking the version of i18next-fs-backend in your project dependencies: npm list i18next-fs-backend
  • Verifying if the missingKeyHandler route is exposed and if saveMissing is enabled in your i18next configuration.

If you detect such suspicious keys or are running a vulnerable version with exposed routes, immediate mitigation or upgrade is recommended.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart