{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/cpes/cpe2.3ai18nexti18next-http-middlewarenode.js/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":["cpe:2.3:a:i18next:i18next-http-middleware:*:*:*:*:*:node.js:*:*"],"_cs_cves":[{"cvss":9.1,"id":"CVE-2026-48714"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["i18next-http-middleware (\u003c 3.9.7)","i18next-fs-backend (\u003c 2.6.6)"],"_cs_severities":["critical"],"_cs_tags":["web-vulnerability","prototype-pollution","npm","nodejs"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical prototype pollution vulnerability, identified as CVE-2026-48714, affects \u003ccode\u003ei18next-http-middleware\u003c/code\u003e versions 3.9.6 and earlier. This flaw specifically impacts the \u003ccode\u003emissingKeyHandler\u003c/code\u003e, which is designed to process keys for missing translations. While previous versions introduced denylists for literal unsafe keys like \u003ccode\u003e__proto__\u003c/code\u003e, this vulnerability arises because the handler failed to block dotted variants, such as \u003ccode\u003e\u0026quot;__proto__.polluted\u0026quot;\u003c/code\u003e. When applications expose this \u003ccode\u003emissingKeyHandler\u003c/code\u003e to untrusted user input and are combined with vulnerable backend packages like \u003ccode\u003ei18next-fs-backend\u003c/code\u003e versions 2.6.5 or earlier, an attacker can exploit this oversight. The \u003ccode\u003ekeySeparator\u003c/code\u003e (default \u003ccode\u003e.\u003c/code\u003e) within these backends splits the malicious key, passing it to an unguarded \u003ccode\u003esetPath()\u003c/code\u003e function that then directly writes to \u003ccode\u003eObject.prototype\u003c/code\u003e. Successful exploitation can lead to severe consequences including application crashes, corrupted translation behavior, configuration poisoning, and bypasses of property-based security checks, with potential for remote code execution. Patches are available in \u003ccode\u003ei18next-http-middleware 3.9.7\u003c/code\u003e and \u003ccode\u003ei18next-fs-backend 2.6.6\u003c/code\u003e.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eReconnaissance \u0026amp; Target Identification\u003c/strong\u003e: An attacker identifies a web application utilizing \u003ccode\u003ei18next-http-middleware\u003c/code\u003e and \u003ccode\u003ei18next-fs-backend\u003c/code\u003e with an exposed \u003ccode\u003emissingKeyHandler\u003c/code\u003e endpoint that accepts untrusted input.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eVulnerability Confirmation\u003c/strong\u003e: The attacker sends test requests to confirm the application's response to various keys, probing for the behavior of the \u003ccode\u003emissingKeyHandler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCraft Malicious Request\u003c/strong\u003e: The attacker crafts a specially designed HTTP POST request targeting the exposed \u003ccode\u003emissingKeyHandler\u003c/code\u003e endpoint, including a malicious key in the request body, such as \u003ccode\u003e\u0026quot;__proto__.polluted=value\u0026quot;\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eHandler Processing\u003c/strong\u003e: The \u003ccode\u003ei18next-http-middleware\u003c/code\u003e receives the request and passes the malicious key to its \u003ccode\u003emissingKeyHandler\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eKey Segmentation\u003c/strong\u003e: Inside the \u003ccode\u003emissingKeyHandler\u003c/code\u003e (or the downstream backend), the configured \u003ccode\u003ekeySeparator\u003c/code\u003e (typically \u003ccode\u003e.\u003c/code\u003e) splits the \u003ccode\u003e\u0026quot;__proto__.polluted\u0026quot;\u003c/code\u003e key into segments.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePrototype Pollution\u003c/strong\u003e: The segmented key, including \u003ccode\u003e__proto__\u003c/code\u003e, is then passed to an unguarded \u003ccode\u003esetPath()\u003c/code\u003e function within \u003ccode\u003ei18next-fs-backend\u003c/code\u003e or a similarly affected backend, which inadvertently writes a new property onto \u003ccode\u003eObject.prototype\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eApplication Impact\u003c/strong\u003e: The modified \u003ccode\u003eObject.prototype\u003c/code\u003e pollutes the global object, leading to unexpected application behavior, crashes, configuration poisoning, or the bypass of security checks, potentially enabling further remote execution or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThis vulnerability directly impacts applications that leverage \u003ccode\u003ei18next-http-middleware\u003c/code\u003e with an exposed \u003ccode\u003emissingKeyHandler\u003c/code\u003e to untrusted inputs, specifically when paired with \u003ccode\u003ei18next-fs-backend\u003c/code\u003e versions up to 2.6.5. Successful exploitation allows attackers to perform remote prototype pollution, enabling them to inject arbitrary properties into \u003ccode\u003eObject.prototype\u003c/code\u003e. The observed damage can range from application crashes and corrupted translation functionality to critical configuration poisoning and the bypass of property-based security controls. Depending on the specific application logic, this can escalate to full remote code execution, granting attackers control over the compromised system and access to sensitive data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003e\u003cstrong\u003ePatch CVE-2026-48714\u003c/strong\u003e: Immediately upgrade \u003ccode\u003ei18next-http-middleware\u003c/code\u003e to version 3.9.7 or later to address CVE-2026-48714.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003ePatch Companion Vulnerability\u003c/strong\u003e: Upgrade \u003ccode\u003ei18next-fs-backend\u003c/code\u003e to version 2.6.6 or later, as it contains a root-cause fix for companion advisory GHSA-2933-q333-qg83.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eRestrict Access to \u003ccode\u003emissingKeyHandler\u003c/code\u003e\u003c/strong\u003e: If immediate patching is not possible, mount the \u003ccode\u003emissingKeyHandler\u003c/code\u003e behind authentication or remove the route entirely to prevent untrusted users from accessing it.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eImplement Request Filtering\u003c/strong\u003e: Add a request-body filter ahead of the \u003ccode\u003emissingKeyHandler\u003c/code\u003e to reject any top-level key containing \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, or \u003ccode\u003eprototype\u003c/code\u003e after splitting on the configured \u003ccode\u003ekeySeparator\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDisable Missing-Key Persistence\u003c/strong\u003e: When accepting writes from untrusted input, disable missing-key persistence by setting \u003ccode\u003esaveMissing: false\u003c/code\u003e in your i18next configuration.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eDeploy Sigma Rules\u003c/strong\u003e: Deploy the provided Sigma rule to your SIEM to detect attempts at exploiting CVE-2026-48714 via the \u003ccode\u003emissingKeyHandler\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-03T10:46:14Z","date_published":"2026-07-03T10:46:14Z","id":"https://feed.craftedsignal.io/briefs/2026-07-i18next-prototype-pollution/","summary":"A critical prototype pollution vulnerability (CVE-2026-48714) exists in `i18next-http-middleware` versions up to 3.9.6, where the `missingKeyHandler` fails to adequately sanitize dotted key segments, allowing attackers to manipulate `Object.prototype` when exposed to untrusted input and used with vulnerable `i18next-fs-backend` versions up to 2.6.5, potentially leading to configuration poisoning, security bypasses, crashes, or remote code execution.","title":"i18next-http-middleware Prototype Pollution via missingKeyHandler (CVE-2026-48714)","url":"https://feed.craftedsignal.io/briefs/2026-07-i18next-prototype-pollution/"}],"language":"en","title":"CraftedSignal Threat Feed - Cpe:2.3:a:i18next:i18next-Http-Middleware:*:*:*:*:*:node.js:*:*","version":"https://jsonfeed.org/version/1.1"}