Description
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. This issue has been fixed in version 3.9.7. If developers cannot upgrade immediately, they should do the following: do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), add a request-body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or prototype after splitting on their configured keySeparator, and disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input.
Published: 2026-06-15
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The middleware's missingKeyHandler was designed to reject dangerous keys such as "__proto__", "constructor", and "prototype". However, in versions prior to 3.9.7 it would allow dotted keys like "__proto__.polluted". When a downstream backend splits the key on a configured keySeparator and passes the parts to an unguarded setPath() walker, that path writes directly to Object.prototype. This behavior satisfies CWE‑1321 because an attacker can alter prototype properties on behalf of the application. The vulnerability can be triggered by sending a crafted request body with a dotted key example. The impact depends on the host application but can include application crashes, corrupted translation behavior, configuration poisoning, or bypasses of property‑based security checks.

Affected Systems

The affected product is i18next i18next-http-middleware when its missingKeyHandler is exposed to untrusted input. The vulnerability exists in all releases before 3.9.7. Additionally, any downstream backend that splits the missing key string on a keySeparator – notably i18next-fs-backend versions up to 2.6.5 – is vulnerable. Common host environments include Node.js frameworks like Express, Fastify, and Deno runtimes. Remediation requires upgrading the middleware (or the backend) beyond the vulnerable version or applying the indicated mitigations.

Risk and Exploitability

The CVSS score is 9.1, categorizing it as critical. The EPSS score is below 1 %, indicating a low but non‑zero exploitation probability. Because the vulnerability is not listed in the CISA KEV catalog, there is no known widespread exploit. The likely attack vector is via an HTTP request to the missingKeyHandler route that contains a dotted key. If the backend that processes the missing key is unprotected, prototype values are overwritten, allowing potential configuration or code manipulation depending on the target application. Prompt mitigation via an upgrade and the available work‑arounds is therefore strongly recommended.

Generated by OpenCVE AI on June 16, 2026 at 22:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade i18next-http-middleware to version 3.9.7 or later and ensure any downstream backends (e.g., i18next-fs-backend) are also upgraded past the vulnerable versions.
  • If an upgrade is not immediately possible, restrict the missingKeyHandler route so it is only reachable by authenticated or trusted users; otherwise remove or disable the route.
  • Insert a request‑body filter before the missingKeyHandler that rejects any top‑level key containing "__proto__", "constructor", or "prototype" after splitting on the configured keySeparator.
  • Disable missing‑key persistence (set `saveMissing: false`) when the application accepts write requests from untrusted input, so no polluted key values are stored.
  • Validate that the keySeparator configuration is safe and does not allow arbitrary nested property names that could reach Object.prototype, or change to a separator that does not split nested keys.

Generated by OpenCVE AI on June 16, 2026 at 22:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared I18next
I18next i18next-http-middleware
Vendors & Products I18next
I18next i18next-http-middleware

Mon, 15 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. This issue has been fixed in version 3.9.7. If developers cannot upgrade immediately, they should do the following: do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), add a request-body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or prototype after splitting on their configured keySeparator, and disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input.
Title i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names
Weaknesses CWE-1321
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H'}

Subscriptions

I18next I18next-http-middleware
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-16T14:50:29.087Z

Reserved: 2026-05-22T18:47:27.755Z

Link: CVE-2026-48714

cve-icon Vulnrichment

Updated: 2026-06-16T14:50:25.454Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-15T22:16:17.550

Modified: 2026-06-16T15:46:06.380

Link: CVE-2026-48714

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-16T22:15:03Z

Weaknesses
  • CWE-1321

    Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')