i18next-fs-backend Prototype Pollution via Crafted Missing-Key String (CVE-2026-48713)
Untrusted input can exploit a prototype pollution vulnerability (CVE-2026-48713) in `i18next-fs-backend` versions prior to 2.6.6, particularly via `i18next-http-middleware`'s `missingKeyHandler`, by submitting crafted missing-key strings that leverage the `keySeparator` to write arbitrary properties onto `Object.prototype`, leading to crashes, configuration poisoning, or security bypasses.
Versions of the i18next-fs-backend Node.js package prior to 2.6.6 are susceptible to a critical prototype pollution vulnerability, identified as CVE-2026-48713. This flaw arises when the backend is configured to persist missing translation keys, especially when exposed to untrusted user input via components like i18next-http-middleware's missingKeyHandler. An attacker can craft a missing-key string, such as "__proto__.polluted", which exploits the package's keySeparator splitting logic. This allows the internal setPath() function to write arbitrary properties directly onto the global Object.prototype, effectively polluting the object. This server-side vulnerability can lead to severe consequences, including application crashes, corrupted translation behavior, configuration poisoning, and potential bypasses of property-based security checks. The vulnerability impacts any Node.js application utilizing the affected versions under the specified configuration.
Attack Chain
- An attacker sends a malicious HTTP request to a web application endpoint that exposes
i18next-http-middleware'smissingKeyHandlerto untrusted users. - The request body or query parameter contains a specially crafted missing-key string, such as
__proto__.polluted=valueorconstructor.polluted=value. - The
i18next-fs-backend(version ≤ 2.6.5) receives this malicious key string for processing and persistence. - The
Backend.writeFile()function attempts to process the key and splits it using the configuredkeySeparator(defaulting to.), generating an array of segments like["__proto__", "polluted"]. - An internal path traversal helper,
getLastOfPath()inlib/utils.js, is called to walk these segments. - Due to the lack of proper validation or guarding against unsafe segments, this walker successfully traverses into
Object.prototype. - The
pollutedproperty (or similar) is then created or overwritten on the globalObject.prototypewith the attacker-controlledvalue, achieving prototype pollution. - Subsequent application code that accesses properties on objects without specific checks can be affected by the polluted prototype, leading to application crashes, configuration manipulation, or security bypasses.
Impact
The successful exploitation of CVE-2026-48713 can have critical consequences for affected Node.js applications. By injecting arbitrary properties into Object.prototype, attackers can cause application crashes by corrupting expected object structures, manipulate application configuration settings to alter behavior or gain control, or bypass security checks that rely on specific property values. While no specific victim counts are provided, any Node.js application using i18next-fs-backend <= 2.6.5 in combination with an exposed missingKeyHandler or similar untrusted input path is at risk. The impact extends across various sectors, particularly those using Node.js for web development and internationalization.
Recommendation
- Immediately upgrade
i18next-fs-backendto version 2.6.6 or higher to patch CVE-2026-48713. - Upgrade
i18next-http-middlewareto version 3.9.7 or higher, as it contains a companion defense-in-depth fix. - If immediate upgrades are not feasible, ensure the
missingKeyHandlerendpoint ofi18next-http-middlewareis not exposed to untrusted users (e.g., place it behind authentication or remove the route). - Disable missing-key persistence (
saveMissing: false) if accepting writes from untrusted input in youri18nextconfiguration. - As a workaround, set
keySeparator: falsein youri18nextoptions to prevent backend key splitting, noting this will also disable legitimate nested translation keys. - Deploy the Sigma rule provided in this brief to your SIEM for detection of exploitation attempts via web server logs.
Detection coverage 1
Detect CVE-2026-48713 Exploitation — i18next-fs-backend Prototype Pollution Attempt
highDetects exploitation attempts for CVE-2026-48713, where an attacker attempts prototype pollution via a crafted missing-key string containing '__proto__', 'constructor', or 'prototype' in web requests targeting i18next endpoints.
Detection queries are available on the platform. Get full rules →