Description
i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value — containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string — allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.
Published: 2026-05-08
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

i18next-fs-backend substitutes the language (lng) and namespace (ns) options directly into configured file path templates without encoding or validation. A crafted value containing directory traversal sequences, path separators, or control characters allows an attacker to read or overwrite files outside the intended locale directory, potentially exposing sensitive data or executing arbitrary code if overwriting executable files. This vulnerability is identified as CWE-22 and CWE-73.

Affected Systems

The affected product is i18next i18next-fs-backend. All versions released before 2.6.4 are vulnerable; upgrades to 2.6.4 or later provide a patch.

Risk and Exploitability

The CVSS score of 8.2 indicates high impact and exploitability. EPSS data is not available and the vulnerability is not listed in CISA KEV. The likely attack vector involves a web application that creates request‑scoped instances of i18next, allowing an attacker to influence the language selection via query string, cookie, header, or other user‑controlled inputs. A single crafted request such as ?lng=../../../../etc/passwd would cause the backend to read that file, revealing credentials or system information, while writing to a critical file could lead to remote code execution.

Generated by OpenCVE AI on May 8, 2026 at 17:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade i18next-fs-backend to version 2.6.4 or later, which removes the vulnerable path interpolation.
  • Validate and sanitize lng and ns inputs in application code, ensuring they contain only allowed locale strings or whitelisted namespaces.
  • Configure i18next to use a strict whitelist of supported languages and namespaces, rejecting any payload that does not match the list.

Generated by OpenCVE AI on May 8, 2026 at 17:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8847-338w-5hcj i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite
History

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value — containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string — allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.
Title i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite
Weaknesses CWE-22
CWE-73
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T15:38:50.525Z

Reserved: 2026-04-22T03:53:24.407Z

Link: CVE-2026-41693

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T16:16:11.613

Modified: 2026-05-08T16:16:11.613

Link: CVE-2026-41693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T17:45:13Z

Weaknesses