<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>I18next-Fs-Backend &lt; 2.6.6 - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/i18next-fs-backend--2.6.6/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Fri, 03 Jul 2026 10:45:06 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/i18next-fs-backend--2.6.6/feed.xml" rel="self" type="application/rss+xml"/><item><title>i18next-fs-backend Prototype Pollution via Crafted Missing-Key String (CVE-2026-48713)</title><link>https://feed.craftedsignal.io/briefs/2026-07-i18next-fs-backend-pollution/</link><pubDate>Fri, 03 Jul 2026 10:45:06 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-i18next-fs-backend-pollution/</guid><description>Untrusted input can exploit a prototype pollution vulnerability (CVE-2026-48713) in `i18next-fs-backend` versions prior to 2.6.6, particularly via `i18next-http-middleware`'s `missingKeyHandler`, by submitting crafted missing-key strings that leverage the `keySeparator` to write arbitrary properties onto `Object.prototype`, leading to crashes, configuration poisoning, or security bypasses.</description><content:encoded><![CDATA[<p>Versions of the <code>i18next-fs-backend</code> Node.js package prior to 2.6.6 are susceptible to a critical prototype pollution vulnerability, identified as CVE-2026-48713. This flaw arises when the backend is configured to persist missing translation keys, especially when exposed to untrusted user input via components like <code>i18next-http-middleware</code>'s <code>missingKeyHandler</code>. An attacker can craft a missing-key string, such as <code>&quot;__proto__.polluted&quot;</code>, which exploits the package's <code>keySeparator</code> splitting logic. This allows the internal <code>setPath()</code> function to write arbitrary properties directly onto the global <code>Object.prototype</code>, effectively polluting the object. This server-side vulnerability can lead to severe consequences, including application crashes, corrupted translation behavior, configuration poisoning, and potential bypasses of property-based security checks. The vulnerability impacts any Node.js application utilizing the affected versions under the specified configuration.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker sends a malicious HTTP request to a web application endpoint that exposes <code>i18next-http-middleware</code>'s <code>missingKeyHandler</code> to untrusted users.</li>
<li>The request body or query parameter contains a specially crafted missing-key string, such as <code>__proto__.polluted=value</code> or <code>constructor.polluted=value</code>.</li>
<li>The <code>i18next-fs-backend</code> (version ≤ 2.6.5) receives this malicious key string for processing and persistence.</li>
<li>The <code>Backend.writeFile()</code> function attempts to process the key and splits it using the configured <code>keySeparator</code> (defaulting to <code>.</code>), generating an array of segments like <code>[&quot;__proto__&quot;, &quot;polluted&quot;]</code>.</li>
<li>An internal path traversal helper, <code>getLastOfPath()</code> in <code>lib/utils.js</code>, is called to walk these segments.</li>
<li>Due to the lack of proper validation or guarding against unsafe segments, this walker successfully traverses into <code>Object.prototype</code>.</li>
<li>The <code>polluted</code> property (or similar) is then created or overwritten on the global <code>Object.prototype</code> with the attacker-controlled <code>value</code>, achieving prototype pollution.</li>
<li>Subsequent application code that accesses properties on objects without specific checks can be affected by the polluted prototype, leading to application crashes, configuration manipulation, or security bypasses.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-48713 can have critical consequences for affected Node.js applications. By injecting arbitrary properties into <code>Object.prototype</code>, attackers can cause application crashes by corrupting expected object structures, manipulate application configuration settings to alter behavior or gain control, or bypass security checks that rely on specific property values. While no specific victim counts are provided, any Node.js application using <code>i18next-fs-backend</code> &lt;= 2.6.5 in combination with an exposed <code>missingKeyHandler</code> or similar untrusted input path is at risk. The impact extends across various sectors, particularly those using Node.js for web development and internationalization.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Immediately upgrade <code>i18next-fs-backend</code> to version 2.6.6 or higher to patch CVE-2026-48713.</li>
<li>Upgrade <code>i18next-http-middleware</code> to version 3.9.7 or higher, as it contains a companion defense-in-depth fix.</li>
<li>If immediate upgrades are not feasible, ensure the <code>missingKeyHandler</code> endpoint of <code>i18next-http-middleware</code> is not exposed to untrusted users (e.g., place it behind authentication or remove the route).</li>
<li>Disable missing-key persistence (<code>saveMissing: false</code>) if accepting writes from untrusted input in your <code>i18next</code> configuration.</li>
<li>As a workaround, set <code>keySeparator: false</code> in your <code>i18next</code> options to prevent backend key splitting, noting this will also disable legitimate nested translation keys.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM for detection of exploitation attempts via web server logs.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>prototype-pollution</category><category>node.js</category><category>web-application</category><category>vulnerability</category></item></channel></rss>