CVE-2026-48714
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≀ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≀ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. This issue has been fixed in version 3.9.7. If developers cannot upgrade immediately, they should do the following: do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), add a request-body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or prototype after splitting on their configured keySeparator, and disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48714
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
i18next http-middleware to 3.9.7 (exc)
i18next fs-backend to 2.6.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in i18next-http-middleware versions prior to 3.9.7, where the missingKeyHandler blocks certain literal request-body keys like __proto__, constructor, and prototype, but does not block their dotted variants such as "__proto__.polluted".

Downstream backends like i18next-fs-backend (version 2.6.5 and earlier) split the missing-key string on a configured keySeparator and pass these keys to an unguarded setPath() function that writes to Object.prototype.

If an application exposes missingKeyHandler to untrusted input and uses i18next-fs-backend ≀ 2.6.5, it is vulnerable to remote prototype pollution.

This prototype pollution can lead to crashes, corrupted translation behavior, configuration poisoning, or bypasses of property-based security checks.

The issue was fixed in version 3.9.7 of i18next-http-middleware.

Compliance Impact

The vulnerability allows remote prototype pollution which can lead to crashes, corrupted translation behavior, configuration poisoning, or bypasses of property-based security checks. Such impacts on application integrity and security controls could potentially affect compliance with standards and regulations like GDPR and HIPAA that require protection of data integrity and security.

However, the provided information does not explicitly describe the direct effects on compliance with these standards or regulations.

Impact Analysis

This vulnerability can impact you by allowing attackers to perform remote prototype pollution if your application exposes missingKeyHandler to untrusted input and uses vulnerable versions of i18next-fs-backend.

  • It may cause application crashes.
  • It can corrupt translation behavior within your application.
  • It can poison configuration settings.
  • It may allow attackers to bypass property-based security checks.
Detection Guidance

Detection of this vulnerability involves checking if your application uses i18next-http-middleware versions prior to 3.9.7 along with i18next-fs-backend version 2.6.5 or earlier, and if the missingKeyHandler is exposed to untrusted input.

You can inspect your package.json or package-lock.json files to identify the versions of these packages.

  • Run the command: npm list i18next-http-middleware
  • Run the command: npm list i18next-fs-backend

Additionally, review your application code or routes to see if missingKeyHandler is exposed to untrusted users.

Look for request bodies containing keys like '__proto__', 'constructor', 'prototype' or their dotted variants such as '__proto__.polluted' which may indicate exploitation attempts.

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade i18next-http-middleware to version 3.9.7 or later where the issue is fixed.
  • If upgrading immediately is not possible, do not expose missingKeyHandler to untrusted users by mounting it behind authentication or removing the route.
  • Add a request-body filter before the handler that rejects any top-level key containing '__proto__', 'constructor', or 'prototype' after splitting on the configured keySeparator.
  • Disable missing-key persistence by setting saveMissing to false when accepting writes from untrusted input.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48714. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart