CVE-2026-41690 - Vulnerability Details

- Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters

Description

18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.

Published: 2026-05-08

Score: 8.6 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is an unauthenticated prototype pollution flaw where an attacker can inject property keys into Object.prototype via the getResourcesHandler and missingKeyHandler. This can alter behavior of downstream code such as bypassing authorization checks or causing a type‑confusion denial of service, and in some execution environments can be escalated to remote code execution. The weakness is identified as a prototype pollution (CWE‑1321) and path traversal (CWE‑22) flaw that permits arbitrary modification of global object state.

Affected Systems

The affected product is i18next-http-middleware used in Node.js web frameworks like Express, Fastify, or Deno. Versions older than 3.9.3 of the middleware are vulnerable. Applications that import the middleware package without updating to a newer release or applying the published fix are at risk.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity impact. The EPSS score is not available, but the lack of a published exploit anywhere indicates exploitation likelihood is uncertain. The flaw is not listed in the CISA KEV catalog. An unauthenticated HTTP client can trigger the vulnerability by providing crafted language or namespace parameters to the middleware endpoints, allowing an attacker to manipulate Object.prototype and potentially achieve RCE or DoS depending on downstream code.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

i18next

i18next-http-middleware

affected

Version	Status	Constraints
`< 3.9.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade i18next-http-middleware to version 3.9.3 or later, which removes the unvalidated prototype pollution paths.
If an upgrade cannot be performed immediately, restrict access to the middleware routes to authenticated users or remove the middleware from publicly exposed endpoints.
Validate or sanitize the language and namespace parameters before passing them to the middleware, ensuring they conform to expected patterns.
Monitor application logs for anomalous modifications to Object.prototype or unexpected HTTP traffic to the middleware endpoints.

Generated by OpenCVE AI on May 8, 2026 at 17:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-5fgg-jcpf-8jjw	i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00075.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw

History

Fri, 08 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 08 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.
Title		Prototype pollution and path traversal in i18next-http-middleware via user-controlled language and namespace parameters
Weaknesses		CWE-1321 CWE-22
References		https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-5fgg-jcpf-8jjw
Metrics		cvssV3_1 `{'score': 8.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-08T15:24:12.014Z

Updated: 2026-05-08T16:43:48.281Z

Reserved: 2026-04-22T03:53:24.407Z

Link: CVE-2026-41690

Vulnrichment

Updated: 2026-05-08T16:42:42.875Z

NVD

Status : Received

Published: 2026-05-08T16:16:11.473

Modified: 2026-05-08T16:16:11.473

Link: CVE-2026-41690

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-08T18:00:16Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object