i18next-http-middleware Prototype Pollution via missingKeyHandler (CVE-2026-48714)
A critical prototype pollution vulnerability (CVE-2026-48714) exists in `i18next-http-middleware` versions up to 3.9.6, where the `missingKeyHandler` fails to adequately sanitize dotted key segments, allowing attackers to manipulate `Object.prototype` when exposed to untrusted input and used with vulnerable `i18next-fs-backend` versions up to 2.6.5, potentially leading to configuration poisoning, security bypasses, crashes, or remote code execution.
A critical prototype pollution vulnerability, identified as CVE-2026-48714, affects i18next-http-middleware versions 3.9.6 and earlier. This flaw specifically impacts the missingKeyHandler, which is designed to process keys for missing translations. While previous versions introduced denylists for literal unsafe keys like __proto__, this vulnerability arises because the handler failed to block dotted variants, such as "__proto__.polluted". When applications expose this missingKeyHandler to untrusted user input and are combined with vulnerable backend packages like i18next-fs-backend versions 2.6.5 or earlier, an attacker can exploit this oversight. The keySeparator (default .) within these backends splits the malicious key, passing it to an unguarded setPath() function that then directly writes to Object.prototype. Successful exploitation can lead to severe consequences including application crashes, corrupted translation behavior, configuration poisoning, and bypasses of property-based security checks, with potential for remote code execution. Patches are available in i18next-http-middleware 3.9.7 and i18next-fs-backend 2.6.6.
Attack Chain
- Reconnaissance & Target Identification: An attacker identifies a web application utilizing
i18next-http-middlewareandi18next-fs-backendwith an exposedmissingKeyHandlerendpoint that accepts untrusted input. - Vulnerability Confirmation: The attacker sends test requests to confirm the application's response to various keys, probing for the behavior of the
missingKeyHandler. - Craft Malicious Request: The attacker crafts a specially designed HTTP POST request targeting the exposed
missingKeyHandlerendpoint, including a malicious key in the request body, such as"__proto__.polluted=value". - Handler Processing: The
i18next-http-middlewarereceives the request and passes the malicious key to itsmissingKeyHandlerfunction. - Key Segmentation: Inside the
missingKeyHandler(or the downstream backend), the configuredkeySeparator(typically.) splits the"__proto__.polluted"key into segments. - Prototype Pollution: The segmented key, including
__proto__, is then passed to an unguardedsetPath()function withini18next-fs-backendor a similarly affected backend, which inadvertently writes a new property ontoObject.prototype. - Application Impact: The modified
Object.prototypepollutes the global object, leading to unexpected application behavior, crashes, configuration poisoning, or the bypass of security checks, potentially enabling further remote execution or data exfiltration.
Impact
This vulnerability directly impacts applications that leverage i18next-http-middleware with an exposed missingKeyHandler to untrusted inputs, specifically when paired with i18next-fs-backend versions up to 2.6.5. Successful exploitation allows attackers to perform remote prototype pollution, enabling them to inject arbitrary properties into Object.prototype. The observed damage can range from application crashes and corrupted translation functionality to critical configuration poisoning and the bypass of property-based security controls. Depending on the specific application logic, this can escalate to full remote code execution, granting attackers control over the compromised system and access to sensitive data.
Recommendation
- Patch CVE-2026-48714: Immediately upgrade
i18next-http-middlewareto version 3.9.7 or later to address CVE-2026-48714. - Patch Companion Vulnerability: Upgrade
i18next-fs-backendto version 2.6.6 or later, as it contains a root-cause fix for companion advisory GHSA-2933-q333-qg83. - Restrict Access to
missingKeyHandler: If immediate patching is not possible, mount themissingKeyHandlerbehind authentication or remove the route entirely to prevent untrusted users from accessing it. - Implement Request Filtering: Add a request-body filter ahead of the
missingKeyHandlerto reject any top-level key containing__proto__,constructor, orprototypeafter splitting on the configuredkeySeparator. - Disable Missing-Key Persistence: When accepting writes from untrusted input, disable missing-key persistence by setting
saveMissing: falsein your i18next configuration. - Deploy Sigma Rules: Deploy the provided Sigma rule to your SIEM to detect attempts at exploiting CVE-2026-48714 via the
missingKeyHandlerendpoint.
Detection coverage 1
Detects CVE-2026-48714 Exploitation — i18next Prototype Pollution
highDetects exploitation attempts against CVE-2026-48714, where `i18next-http-middleware`'s `missingKeyHandler` is abused for prototype pollution via dotted '__proto__' keys in HTTP POST requests.
Detection queries are available on the platform. Get full rules →