i18next-http-middleware allows a client to supply language and namespace parameters that are forwarded directly to the backend loader without sanitization. Depending on the configured backend, this can expose the server to local file read attacks or cause the server to perform arbitrary outbound HTTP requests, potentially leaking sensitive data or enabling further exploits. The vulnerability is not limited to a single file; the full path can be manipulated via the provided parameters, implying that a malicious actor could read files beyond the intended directory or reach internal services through SSRF.

The problem exists in i18next-http-middleware for all versions prior to 3.9.3. Systems running this package as part of a Node.js web framework such as Express or Fastify, or in a Deno environment, are affected. The vulnerable component is the getResourcesHandler that invokes the backendConnector.load method with user-supplied parameters. Only the 3.9.3 release and later include the mitigation.

The CVSS score of 8.2 indicates a high severity vulnerability. While an EPSS score is not available, the lack of a CISA KEV entry suggests limited public exploitation at this time, but this does not reduce the risk to those running outdated versions. Attackers can trigger the issue by sending a crafted HTTP request that sets the language or namespace in the query string or request body. Depending on the backend, they can trigger either a local path traversal or an SSRF scenario. Because the flaw requires network access to the vulnerable application, it is predominantly a remote attack vector with potential for significant data exposure.