The vulnerability allows attackers to inject carriage return and line feed characters into the Content‑Language response header, which leads to HTTP response splitting. This can result in header injection and potentially cause a denial of service by corrupting the response. The flaw originates from the use of an HTML‑entity encoder that does not filter control characters, and the issue is mitigated by updating to i18next‑http‑middleware 3.9.3 and ensuring i18next is at least 19.5.0.

Applications built with Node.js web frameworks such as Express or Fastify that use the i18next‑http‑middleware package older than version 3.9.3 are affected, especially when they run i18next versions below 19.5.0 that still invoke the backward‑compatibility fallback in LanguageDetector.js. Systems employing these components are therefore vulnerable.

The module carries a CVSS score of 8.6, indicating a high severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is an HTTP request that supplies an attacker‑controlled lng parameter containing CRLF sequences; this vector could be leveraged to perform response splitting and potentially disrupt application behavior or serve as a stepping stone for further attacks. Cross‑site scripting is not directly supported by the vulnerability description.