{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3ai18nexti18next-fs-backendnode.js/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:i18next:i18next-fs-backend:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-48713"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["i18next-fs-backend \u003c 2.6.6","i18next-http-middleware \u003c 3.9.7"],"_cs_severities":["critical"],"_cs_tags":["prototype-pollution","node.js","web-application","vulnerability"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eVersions of the \u003ccode\u003ei18next-fs-backend\u003c/code\u003e Node.js package prior to 2.6.6 are susceptible to a critical prototype pollution vulnerability, identified as CVE-2026-48713. This flaw arises when the backend is configured to persist missing translation keys, especially when exposed to untrusted user input via components like \u003ccode\u003ei18next-http-middleware\u003c/code\u003e's \u003ccode\u003emissingKeyHandler\u003c/code\u003e. An attacker can craft a missing-key string, such as \u003ccode\u003e\u0026quot;__proto__.polluted\u0026quot;\u003c/code\u003e, which exploits the package's \u003ccode\u003ekeySeparator\u003c/code\u003e splitting logic. This allows the internal \u003ccode\u003esetPath()\u003c/code\u003e function to write arbitrary properties directly onto the global \u003ccode\u003eObject.prototype\u003c/code\u003e, effectively polluting the object. This server-side vulnerability can lead to severe consequences, including application crashes, corrupted translation behavior, configuration poisoning, and potential bypasses of property-based security checks. The vulnerability impacts any Node.js application utilizing the affected versions under the specified configuration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker sends a malicious HTTP request to a web application endpoint that exposes \u003ccode\u003ei18next-http-middleware\u003c/code\u003e's \u003ccode\u003emissingKeyHandler\u003c/code\u003e to untrusted users.\u003c/li\u003e\n\u003cli\u003eThe request body or query parameter contains a specially crafted missing-key string, such as \u003ccode\u003e__proto__.polluted=value\u003c/code\u003e or \u003ccode\u003econstructor.polluted=value\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ei18next-fs-backend\u003c/code\u003e (version ≤ 2.6.5) receives this malicious key string for processing and persistence.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBackend.writeFile()\u003c/code\u003e function attempts to process the key and splits it using the configured \u003ccode\u003ekeySeparator\u003c/code\u003e (defaulting to \u003ccode\u003e.\u003c/code\u003e), generating an array of segments like \u003ccode\u003e[\u0026quot;__proto__\u0026quot;, \u0026quot;polluted\u0026quot;]\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn internal path traversal helper, \u003ccode\u003egetLastOfPath()\u003c/code\u003e in \u003ccode\u003elib/utils.js\u003c/code\u003e, is called to walk these segments.\u003c/li\u003e\n\u003cli\u003eDue to the lack of proper validation or guarding against unsafe segments, this walker successfully traverses into \u003ccode\u003eObject.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003epolluted\u003c/code\u003e property (or similar) is then created or overwritten on the global \u003ccode\u003eObject.prototype\u003c/code\u003e with the attacker-controlled \u003ccode\u003evalue\u003c/code\u003e, achieving prototype pollution.\u003c/li\u003e\n\u003cli\u003eSubsequent application code that accesses properties on objects without specific checks can be affected by the polluted prototype, leading to application crashes, configuration manipulation, or security bypasses.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-48713 can have critical consequences for affected Node.js applications. By injecting arbitrary properties into \u003ccode\u003eObject.prototype\u003c/code\u003e, attackers can cause application crashes by corrupting expected object structures, manipulate application configuration settings to alter behavior or gain control, or bypass security checks that rely on specific property values. While no specific victim counts are provided, any Node.js application using \u003ccode\u003ei18next-fs-backend\u003c/code\u003e \u0026lt;= 2.6.5 in combination with an exposed \u003ccode\u003emissingKeyHandler\u003c/code\u003e or similar untrusted input path is at risk. The impact extends across various sectors, particularly those using Node.js for web development and internationalization.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImmediately upgrade \u003ccode\u003ei18next-fs-backend\u003c/code\u003e to version 2.6.6 or higher to patch CVE-2026-48713.\u003c/li\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ei18next-http-middleware\u003c/code\u003e to version 3.9.7 or higher, as it contains a companion defense-in-depth fix.\u003c/li\u003e\n\u003cli\u003eIf immediate upgrades are not feasible, ensure the \u003ccode\u003emissingKeyHandler\u003c/code\u003e endpoint of \u003ccode\u003ei18next-http-middleware\u003c/code\u003e is not exposed to untrusted users (e.g., place it behind authentication or remove the route).\u003c/li\u003e\n\u003cli\u003eDisable missing-key persistence (\u003ccode\u003esaveMissing: false\u003c/code\u003e) if accepting writes from untrusted input in your \u003ccode\u003ei18next\u003c/code\u003e configuration.\u003c/li\u003e\n\u003cli\u003eAs a workaround, set \u003ccode\u003ekeySeparator: false\u003c/code\u003e in your \u003ccode\u003ei18next\u003c/code\u003e options to prevent backend key splitting, noting this will also disable legitimate nested translation keys.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM for detection of exploitation attempts via web server logs.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:45:06Z","date_published":"2026-07-03T10:45:06Z","id":"https://feed.craftedsignal.io/briefs/2026-07-i18next-fs-backend-pollution/","summary":"Untrusted input can exploit a prototype pollution vulnerability (CVE-2026-48713) in `i18next-fs-backend` versions prior to 2.6.6, particularly via `i18next-http-middleware`'s `missingKeyHandler`, by submitting crafted missing-key strings that leverage the `keySeparator` to write arbitrary properties onto `Object.prototype`, leading to crashes, configuration poisoning, or security bypasses.","title":"i18next-fs-backend Prototype Pollution via Crafted Missing-Key String (CVE-2026-48713)","url":"https://feed.craftedsignal.io/briefs/2026-07-i18next-fs-backend-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:i18next:i18next-Fs-Backend:*:*:*:*:*:node.js:*:*","version":"https://jsonfeed.org/version/1.1"}