Description
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites — _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2.
Published: 2026-05-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

i18next‑locize‑backend allows unencoded interpolation of language, namespace, project identifier, and version into request URL templates. A crafted value supplied through query parameters, cookies, request headers, or a URL‑derived projectId can alter the structure of outgoing URLs, enabling the application to send requests to arbitrary locations or manipulate path components. This flaw is covered by CWE‑22 (Path Traversal) and CWE‑74 (URL Injection) and can lead to data leakage, unauthorized access, or execution of unintended server requests.

Affected Systems

The vulnerability affects the locize i18next‑locize‑backend package for Node.js, browser, and Deno environments, specifically any version prior to 9.0.2.

Risk and Exploitability

The Advisory assigns a CVSS score of 6.5, indicating medium severity. EPSS is not available, and the flaw is not listed in the CISA KEV catalog. The attack path relies on user‑controlled input into the specified parameters; the absence of path validation or encoding makes it feasible for an attacker to forge arbitrary URLs. In environments where the application accepts public traffic, this could allow server‑side request forgery, potentially exposing internal services or data.

Generated by OpenCVE AI on May 8, 2026 at 19:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the locize i18next‑locize‑backend package to version 9.0.2 or later to apply proper URL encoding and path validation
  • Prior to upgrading, validate and sanitize lng, ns, projectId, and version inputs to allow only safe characters (e.g., using a whitelist or regex)
  • Implement outbound network controls that restrict the application’s HTTP/S traffic to trusted destinations, reducing the impact if URL injection is exploited

Generated by OpenCVE AI on May 8, 2026 at 19:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-mgcp-mfp8-3q45 i18next-locize-backend has URL Injection via Unsanitized Path Parameters
History

Fri, 08 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Description i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites — _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2.
Title Path traversal / URL injection via unsanitised lng/ns/projectId/version in i18next-locize-backend
Weaknesses CWE-22
CWE-74
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T16:06:11.177Z

Reserved: 2026-04-22T15:11:54.670Z

Link: CVE-2026-41885

cve-icon Vulnrichment

Updated: 2026-05-08T16:06:06.925Z

cve-icon NVD

Status : Received

Published: 2026-05-08T16:16:11.913

Modified: 2026-05-08T16:16:11.913

Link: CVE-2026-41885

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T19:15:14Z

Weaknesses