CVE-2026-48713
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48713
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
i18next http-middleware to 2.6.6 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability affects versions of i18next-http-middleware prior to 2.6.6 and is a prototype pollution issue. It occurs when crafted missing-key strings are used to persist missing translation keys. The backend.writeFile() function splits these keys on a configured separator and then calls an internal function that does not properly guard against unsafe segments. This allows an attacker to inject keys like "__proto__.polluted" which modifies the global Object prototype. As a result, arbitrary properties can be written onto the global object prototype.

Impact Analysis

The impact of this vulnerability depends on the host application. Polluted prototype properties can cause application crashes, corrupted translation behavior, configuration poisoning, or bypasses of property-based security checks. Applications are only affected if the missingKeyHandler or similar routes that accept untrusted input and save missing keys are exposed to untrusted users and the default key splitting behavior is enabled.

Mitigation Strategies

To mitigate this vulnerability immediately, you should take the following precautions if you cannot upgrade to version 2.6.6:

  • Do not expose i18next-http-middleware's missingKeyHandler to untrusted users; mount it behind authentication or remove the route.
  • Disable missing-key persistence by setting saveMissing to false or by not implementing backend.create when accepting writes from untrusted input.
  • Set keySeparator to false in your i18next options to disable backend key splitting, noting that this also disables nested translation keys.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart