Description
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys).
Published: 2026-06-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A crafted missing-key string that includes a double underscore followed by a dot, such as "__proto__.polluted", is parsed by the backend’s missing-key persistence routine. The string is split on the configured key separator (by default ".") and the walker traverses the resulting path segment by segment. Because the walker does not guard against unsafe segments, the traversal extends into Object.prototype, allowing the attacker to inject arbitrary properties onto the global prototype. This form of prototype pollution can compromise application stability, corrupt translation data, poison configuration values, and bypass property-based security checks. The weakness is identified as CWE‑1321.

Affected Systems

All installations of i18next‑fs‑backend older than version 2.6.6 that use the default key separator and expose the missingKeyHandler to untrusted input are impacted. The flaw is triggered when an application mounts i18next-http-middleware’s missingKeyHandler or otherwise calls i18next.t with saveMissing set to true. If the key separator is disabled (keySeparator set to false) or if the middleware is not reachable from untrusted users, the vulnerability is not exploitable. The issue is resolved in version 2.6.6.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.1, reflecting a high severity. The EPSS score is below 1 %, indicating a low estimated exploitation probability at present, and the issue is not listed in the CISA KEV catalog. However, the attack requires only a crafted HTTP request to the missingKeyHandler or an equivalent entry point, making the potential impact wide ranging if the application permits unauthenticated access. An attacker could cause denial of service, corrupt translation or configuration data, or potentially establish a foothold for further exploitation depending on the host application’s safeguards.

Generated by OpenCVE AI on June 16, 2026 at 21:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade i18next‑fs‑backend to version 2.6.6 or later
  • Restrict the missingKeyHandler or any route that forwards request bodies to i18next.t with saveMissing: true so that only authenticated users can invoke it
  • If upgrading is not immediately possible, disable missing‑key persistence by setting saveMissing to false, removing the backend.create implementation, or setting keySeparator to false to stop automatic key splitting

Generated by OpenCVE AI on June 16, 2026 at 21:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
First Time appeared I18next
I18next i18next-fs-backend
Vendors & Products I18next
I18next i18next-fs-backend

Mon, 15 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys).
Title i18next-fs-backend: Prototype pollution via crafted missing-key string
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

I18next I18next-fs-backend
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T12:49:24.673Z

Reserved: 2026-05-22T18:47:27.755Z

Link: CVE-2026-48713

cve-icon Vulnrichment

Updated: 2026-06-16T12:49:21.463Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-15T22:16:17.397

Modified: 2026-06-16T15:46:06.380

Link: CVE-2026-48713

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T21:30:16Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')