{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/i18next/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-http-middleware"],"_cs_severities":["high"],"_cs_tags":["prototype-pollution","path-traversal","ssrf","denial-of-service","i18next"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003ei18next-http-middleware versions prior to 3.9.3 are susceptible to prototype pollution, path traversal, and SSRF attacks. The vulnerability stems from the insufficient validation of the \u003ccode\u003elng\u003c/code\u003e (language) and \u003ccode\u003ens\u003c/code\u003e (namespace) parameters passed via HTTP requests to the \u003ccode\u003egetResourcesHandler\u003c/code\u003e and the \u003ccode\u003emissingKeyHandler\u003c/code\u003e. These handlers, intended to serve localization resources, expose attack surface because they process user-controlled input without proper sanitization. This allows attackers to manipulate object properties, access unintended files or internal services, and cause denial-of-service conditions. The vulnerability was discovered via an internal security audit. Defenders should upgrade to version 3.9.3 to remediate the risks.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request to the \u003ccode\u003e/locales/resources.json\u003c/code\u003e endpoint, targeting the \u003ccode\u003egetResourcesHandler\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe request includes malicious \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e query parameters, such as \u003ccode\u003elng=__proto__\u0026amp;ns=isAdmin\u003c/code\u003e, or \u003ccode\u003ens=../../etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egetResourcesHandler\u003c/code\u003e extracts the \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e parameters without sufficient validation.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values are passed to \u003ccode\u003eutils.setPath(resources, [lng, ns], ...)\u003c/code\u003e which allows writing to the Object prototype if \u003ccode\u003elng\u003c/code\u003e is \u003ccode\u003e__proto__\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values are passed to \u003ccode\u003ei18next.services.backendConnector.load(languages, namespaces, ...)\u003c/code\u003e to load resource bundles. With filesystem or HTTP backends, this can enable path traversal or SSRF if \u003ccode\u003ens\u003c/code\u003e or \u003ccode\u003elng\u003c/code\u003e contain malicious path segments.\u003c/li\u003e\n\u003cli\u003eAlternatively, the attacker sends a POST request with a body containing a malicious \u003ccode\u003e__proto__\u003c/code\u003e key to \u003ccode\u003emissingKeyHandler\u003c/code\u003e, for example \u003ccode\u003e{\u0026quot;__proto__\u0026quot;: {\u0026quot;isAdmin\u0026quot;: true}}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003emissingKeyHandler\u003c/code\u003e iterates over the request body using \u003ccode\u003efor...in\u003c/code\u003e, including inherited prototype properties, and forwards the malicious data into \u003ccode\u003esaveMissing\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eSuccessful exploitation leads to prototype pollution, arbitrary file access, SSRF, or denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can have significant consequences. Prototype pollution allows attackers to manipulate object properties globally, leading to broken authorization checks (e.g., bypassing \u003ccode\u003eif (user.isAdmin)\u003c/code\u003e), type confusion errors, or potentially remote code execution. Path traversal enables access to sensitive files on the server, like configuration files or password databases, while SSRF allows attackers to interact with internal services. Finally, the unbounded growth of the \u003ccode\u003ei18next.options.ns\u003c/code\u003e list and repeated backend load calls can lead to denial of service due to memory and CPU exhaustion. This can impact availability of the service and potentially other services on the same host.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ei18next-http-middleware\u003c/code\u003e version 3.9.3 or later to address the vulnerabilities.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided below to detect exploitation attempts targeting the \u003ccode\u003egetResourcesHandler\u003c/code\u003e and \u003ccode\u003emissingKeyHandler\u003c/code\u003e endpoints.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, implement a WAF rule as a partial mitigation to block requests containing \u003ccode\u003e__proto__\u003c/code\u003e, \u003ccode\u003econstructor\u003c/code\u003e, \u003ccode\u003eprototype\u003c/code\u003e, \u003ccode\u003e..\u003c/code\u003e, or control characters in \u003ccode\u003elng\u003c/code\u003e/\u003ccode\u003ens\u003c/code\u003e query parameters or body keys as suggested in the advisory.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-i18next-http-middleware-vuln/","summary":"Versions of i18next-http-middleware before 3.9.3 are vulnerable to prototype pollution, path traversal, and server-side request forgery (SSRF) due to improper validation of user-controlled language and namespace parameters, potentially leading to denial of service or remote code execution.","title":"i18next-http-middleware Prototype Pollution and Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-vuln/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-fs-backend"],"_cs_severities":["high"],"_cs_tags":["path-traversal","i18next","arbitrary-file-read","arbitrary-file-write","code-execution"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe i18next-fs-backend library, a file system backend for the i18next internationalization framework, is vulnerable to a path traversal attack in versions prior to 2.6.4. This vulnerability arises from the unsanitized use of the \u003ccode\u003elng\u003c/code\u003e (language) and \u003ccode\u003ens\u003c/code\u003e (namespace) parameters when constructing file paths for loading and writing locale files. If an application exposes the language code to user input, an attacker can craft a malicious \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e value containing directory traversal sequences (e.g., \u003ccode\u003e../\u003c/code\u003e) to escape the intended locale directory. Successful exploitation can lead to arbitrary file read, arbitrary file overwrite, and, if \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e files are used for localization, arbitrary code execution. This vulnerability highlights the importance of input validation, especially when constructing file paths from user-controlled data. The vulnerability was patched in version 2.6.4.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an application using a vulnerable version of \u003ccode\u003ei18next-fs-backend\u003c/code\u003e (versions prior to 2.6.4) and exposes the language code to user input via query parameters (e.g., \u003ccode\u003e?lng=\u003c/code\u003e), cookies, or request headers.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious \u003ccode\u003elng\u003c/code\u003e value containing directory traversal sequences, such as \u003ccode\u003e../../../../etc\u003c/code\u003e, to target sensitive files outside the intended locale directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the application with the crafted \u003ccode\u003elng\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application passes the unsanitized \u003ccode\u003elng\u003c/code\u003e value to the \u003ccode\u003ei18next.t()\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ei18next-fs-backend\u003c/code\u003e library interpolates the malicious \u003ccode\u003elng\u003c/code\u003e value into the \u003ccode\u003eloadPath\u003c/code\u003e configuration option, without proper validation.  For example, \u003ccode\u003eloadPath: '/locales/{{lng}}/{{ns}}.json'\u003c/code\u003e becomes \u003ccode\u003e/locales/../../../../etc/{{ns}}.json\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe backend attempts to read the file specified by the crafted path (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eIf successful, the contents of the targeted file are returned as a translation resource, potentially exposing sensitive information. If the attacker crafted the \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e value to point to a \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e file containing malicious code, the backend will execute the file using \u003ccode\u003eeval()\u003c/code\u003e, leading to arbitrary code execution on the server.\u003c/li\u003e\n\u003cli\u003eAlternatively, if the application attempts to write a missing translation key using the crafted path (via \u003ccode\u003eaddPath\u003c/code\u003e), the attacker could overwrite arbitrary files on the system, potentially leading to application compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can have severe consequences. Arbitrary file read allows attackers to access sensitive data, such as configuration files, database credentials, or application source code. Arbitrary file overwrite can lead to application malfunction or complete compromise. If the application uses \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e files for localization and the attacker is able to inject malicious code into those files through path traversal, arbitrary code execution can result, potentially allowing the attacker to gain full control of the server. The number of victims depends on the popularity and configuration of applications using the vulnerable \u003ccode\u003ei18next-fs-backend\u003c/code\u003e library.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ei18next-fs-backend\u003c/code\u003e version 2.6.4 or later to patch the path traversal vulnerability as this version introduces the \u003ccode\u003eisSafePathSegment\u003c/code\u003e and \u003ccode\u003einterpolatePath\u003c/code\u003e functions to sanitize the path.\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, sanitize the \u003ccode\u003elng\u003c/code\u003e and \u003ccode\u003ens\u003c/code\u003e values at the application boundary before passing them to \u003ccode\u003ei18next\u003c/code\u003e. Reject values containing \u003ccode\u003e..\u003c/code\u003e, \u003ccode\u003e/\u003c/code\u003e, \u003ccode\u003e\\\u003c/code\u003e, control characters, and limit the length to prevent path traversal as mentioned in the advisory.\u003c/li\u003e\n\u003cli\u003eIf using \u003ccode\u003e.js\u003c/code\u003e or \u003ccode\u003e.ts\u003c/code\u003e locale files, carefully review them for any suspicious or unexpected code. The advisory highlights that these files must be treated as trusted code.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing directory traversal sequences in the \u003ccode\u003elng\u003c/code\u003e or \u003ccode\u003ens\u003c/code\u003e parameters. Deploy the first Sigma rule for this purpose.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-25T12:00:00Z","date_published":"2024-01-25T12:00:00Z","id":"/briefs/2024-01-25-i18next-fs-backend-path-traversal/","summary":"i18next-fs-backend versions before 2.6.4 are vulnerable to path traversal due to insufficient sanitization of the lng and ns values, potentially allowing attackers to read arbitrary files, overwrite files, or execute code if .js or .ts locale files are in use.","title":"i18next-fs-backend Path Traversal Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-25-i18next-fs-backend-path-traversal/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["i18next-http-middleware"],"_cs_severities":["medium"],"_cs_tags":["crlf-injection","http-response-splitting","denial-of-service","i18next"],"_cs_type":"advisory","_cs_vendors":["npm"],"content_html":"\u003cp\u003eThe \u003ccode\u003ei18next-http-middleware\u003c/code\u003e library, in versions prior to 3.9.3, exhibits a vulnerability stemming from insufficient sanitization of user-controlled language values. These values are written into the \u003ccode\u003eContent-Language\u003c/code\u003e HTTP response header. The \u003ccode\u003eutils.escape()\u003c/code\u003e function, employed for sanitization, performs HTML-entity encoding but fails to strip critical characters like carriage return and line feed. When the application uses an older \u003ccode\u003ei18next\u003c/code\u003e (\u0026lt; 19.5.0) or produces raw detected values, CRLF sequences within the \u003ccode\u003elng\u003c/code\u003e parameter reach \u003ccode\u003eres.setHeader('Content-Language', ...)\u003c/code\u003e without proper escaping. This flaw can result in HTTP response splitting (Node.js \u0026lt; 14.6.0) or a denial-of-service condition (Node.js \u0026gt;= 14.6.0), impacting all concurrent users of the affected process.  The same vulnerability is triggered multiple times per request. This issue is resolved in version 3.9.3.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an application using a vulnerable version of \u003ccode\u003ei18next-http-middleware\u003c/code\u003e. The request includes a \u003ccode\u003elng\u003c/code\u003e parameter with a payload containing CRLF sequences (e.g., \u003ccode\u003e%0d%0a\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ei18next-http-middleware\u003c/code\u003e receives the request and extracts the language value from the \u003ccode\u003elng\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe extracted language value is passed through \u003ccode\u003eutils.escape()\u003c/code\u003e, which performs HTML-entity encoding but does not remove CRLF sequences.\u003c/li\u003e\n\u003cli\u003eThe middleware attempts to set the \u003ccode\u003eContent-Language\u003c/code\u003e header using \u003ccode\u003eres.setHeader()\u003c/code\u003e, incorporating the unsanitized language value.\u003c/li\u003e\n\u003cli\u003eIf the Node.js version is less than 14.6.0, the \u003ccode\u003eres.setHeader()\u003c/code\u003e function processes the CRLF sequences, resulting in HTTP response splitting. This allows the attacker to inject arbitrary headers and control parts of the response body.\u003c/li\u003e\n\u003cli\u003eIf the Node.js version is 14.6.0 or greater, \u003ccode\u003eres.setHeader()\u003c/code\u003e throws an \u003ccode\u003eERR_INVALID_CHAR\u003c/code\u003e error because the value contains CRLF sequences.\u003c/li\u003e\n\u003cli\u003eThe middleware fails to catch this error, and the exception propagates, leading to an unhandled exception.\u003c/li\u003e\n\u003cli\u003eThe unhandled exception causes the Node.js process to terminate or become unresponsive, resulting in a denial-of-service condition for all concurrent users sharing that process.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation allows attackers to inject arbitrary HTTP headers, leading to session fixation, cache poisoning, or reflected XSS attacks. In Node.js versions 14.6.0 and later, exploitation leads to a denial-of-service condition, potentially impacting all users of an application instance. This can result in significant disruption of service availability and potential data compromise. The number of affected applications is unknown, but any application using a vulnerable version of \u003ccode\u003ei18next-http-middleware\u003c/code\u003e is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade \u003ccode\u003ei18next-http-middleware\u003c/code\u003e to version 3.9.3 or later to address the vulnerability by patching the \u003ccode\u003eutils.sanitizeHeaderValue()\u003c/code\u003e function, as described in the advisory.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect i18next-http-middleware CRLF Injection Attempt\u003c/code\u003e to monitor for exploitation attempts by detecting suspicious URL-encoded characters in HTTP requests.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to reject requests containing \u003ccode\u003e\\r\u003c/code\u003e or \u003ccode\u003e\\n\u003c/code\u003e characters in query parameters, cookies, and path segments as a partial mitigation, as suggested in the advisory.\u003c/li\u003e\n\u003cli\u003eEnable web server logging to ensure events related to potential exploits are captured for analysis.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-i18next-http-middleware-crlf/","summary":"i18next-http-middleware versions before 3.9.3 are vulnerable to HTTP response splitting and denial-of-service attacks due to unsanitized Content-Language headers, potentially leading to session fixation, cache poisoning, reflected XSS, or complete service disruption depending on the Node.js version.","title":"i18next-http-middleware HTTP Response Splitting and DoS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-i18next-http-middleware-crlf/"}],"language":"en","title":"CraftedSignal Threat Feed — I18next","version":"https://jsonfeed.org/version/1.1"}