<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Cpe:2.3:a:i18next:i18next-Http-Middleware:*:*:*:*:*:node.js:*:* - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/cpes/cpe2.3ai18nexti18next-http-middlewarenode.js/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 10:46:14 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/cpes/cpe2.3ai18nexti18next-http-middlewarenode.js/feed.xml" rel="self" type="application/rss+xml"/><item><title>i18next-http-middleware Prototype Pollution via missingKeyHandler (CVE-2026-48714)</title><link>https://feed.craftedsignal.io/briefs/2026-07-i18next-prototype-pollution/</link><pubDate>Fri, 03 Jul 2026 10:46:14 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-i18next-prototype-pollution/</guid><description>A critical prototype pollution vulnerability (CVE-2026-48714) exists in `i18next-http-middleware` versions up to 3.9.6, where the `missingKeyHandler` fails to adequately sanitize dotted key segments, allowing attackers to manipulate `Object.prototype` when exposed to untrusted input and used with vulnerable `i18next-fs-backend` versions up to 2.6.5, potentially leading to configuration poisoning, security bypasses, crashes, or remote code execution.</description><content:encoded><![CDATA[<p>A critical prototype pollution vulnerability, identified as CVE-2026-48714, affects <code>i18next-http-middleware</code> versions 3.9.6 and earlier. This flaw specifically impacts the <code>missingKeyHandler</code>, which is designed to process keys for missing translations. While previous versions introduced denylists for literal unsafe keys like <code>__proto__</code>, this vulnerability arises because the handler failed to block dotted variants, such as <code>&quot;__proto__.polluted&quot;</code>. When applications expose this <code>missingKeyHandler</code> to untrusted user input and are combined with vulnerable backend packages like <code>i18next-fs-backend</code> versions 2.6.5 or earlier, an attacker can exploit this oversight. The <code>keySeparator</code> (default <code>.</code>) within these backends splits the malicious key, passing it to an unguarded <code>setPath()</code> function that then directly writes to <code>Object.prototype</code>. Successful exploitation can lead to severe consequences including application crashes, corrupted translation behavior, configuration poisoning, and bypasses of property-based security checks, with potential for remote code execution. Patches are available in <code>i18next-http-middleware 3.9.7</code> and <code>i18next-fs-backend 2.6.6</code>.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li><strong>Reconnaissance &amp; Target Identification</strong>: An attacker identifies a web application utilizing <code>i18next-http-middleware</code> and <code>i18next-fs-backend</code> with an exposed <code>missingKeyHandler</code> endpoint that accepts untrusted input.</li>
<li><strong>Vulnerability Confirmation</strong>: The attacker sends test requests to confirm the application's response to various keys, probing for the behavior of the <code>missingKeyHandler</code>.</li>
<li><strong>Craft Malicious Request</strong>: The attacker crafts a specially designed HTTP POST request targeting the exposed <code>missingKeyHandler</code> endpoint, including a malicious key in the request body, such as <code>&quot;__proto__.polluted=value&quot;</code>.</li>
<li><strong>Handler Processing</strong>: The <code>i18next-http-middleware</code> receives the request and passes the malicious key to its <code>missingKeyHandler</code> function.</li>
<li><strong>Key Segmentation</strong>: Inside the <code>missingKeyHandler</code> (or the downstream backend), the configured <code>keySeparator</code> (typically <code>.</code>) splits the <code>&quot;__proto__.polluted&quot;</code> key into segments.</li>
<li><strong>Prototype Pollution</strong>: The segmented key, including <code>__proto__</code>, is then passed to an unguarded <code>setPath()</code> function within <code>i18next-fs-backend</code> or a similarly affected backend, which inadvertently writes a new property onto <code>Object.prototype</code>.</li>
<li><strong>Application Impact</strong>: The modified <code>Object.prototype</code> pollutes the global object, leading to unexpected application behavior, crashes, configuration poisoning, or the bypass of security checks, potentially enabling further remote execution or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>This vulnerability directly impacts applications that leverage <code>i18next-http-middleware</code> with an exposed <code>missingKeyHandler</code> to untrusted inputs, specifically when paired with <code>i18next-fs-backend</code> versions up to 2.6.5. Successful exploitation allows attackers to perform remote prototype pollution, enabling them to inject arbitrary properties into <code>Object.prototype</code>. The observed damage can range from application crashes and corrupted translation functionality to critical configuration poisoning and the bypass of property-based security controls. Depending on the specific application logic, this can escalate to full remote code execution, granting attackers control over the compromised system and access to sensitive data.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li><strong>Patch CVE-2026-48714</strong>: Immediately upgrade <code>i18next-http-middleware</code> to version 3.9.7 or later to address CVE-2026-48714.</li>
<li><strong>Patch Companion Vulnerability</strong>: Upgrade <code>i18next-fs-backend</code> to version 2.6.6 or later, as it contains a root-cause fix for companion advisory GHSA-2933-q333-qg83.</li>
<li><strong>Restrict Access to <code>missingKeyHandler</code></strong>: If immediate patching is not possible, mount the <code>missingKeyHandler</code> behind authentication or remove the route entirely to prevent untrusted users from accessing it.</li>
<li><strong>Implement Request Filtering</strong>: Add a request-body filter ahead of the <code>missingKeyHandler</code> to reject any top-level key containing <code>__proto__</code>, <code>constructor</code>, or <code>prototype</code> after splitting on the configured <code>keySeparator</code>.</li>
<li><strong>Disable Missing-Key Persistence</strong>: When accepting writes from untrusted input, disable missing-key persistence by setting <code>saveMissing: false</code> in your i18next configuration.</li>
<li><strong>Deploy Sigma Rules</strong>: Deploy the provided Sigma rule to your SIEM to detect attempts at exploiting CVE-2026-48714 via the <code>missingKeyHandler</code> endpoint.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>web-vulnerability</category><category>prototype-pollution</category><category>npm</category><category>nodejs</category></item></channel></rss>