Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1325 CNY

100%
Buy Us a Coffee

CVE-2026-48713— i18next-fs-backend: Prototype pollution via crafted missing-key string

CVSS 9.1 · Critical EPSS 0.38% · P30

Affected Version Matrix 1

VendorProductVersion RangeStatus
i18nexti18next-fs-backend< 2.6.6affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-48713

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
i18next-fs-backend: Prototype pollution via crafted missing-key string
Source: NVD (National Vulnerability Database)
Vulnerability Description
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys).
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
CWE-1321
Source: NVD (National Vulnerability Database)
Vulnerability Title
i18next i18next-fs-backend 输入验证错误漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
i18next i18next-fs-backend是i18next的后端模块组件。 i18next i18next-fs-backend 2.6.6之前版本存在输入验证错误漏洞,该漏洞源于原型污染,通过特制的缺失键字符串在持久化缺失翻译键时,可能导致攻击者向全局对象原型写入任意属性,进而导致崩溃、翻译行为错误、配置投毒或绕过基于属性的安全检查。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
i18nexti18next-fs-backend < 2.6.6 -

II. Public POCs for CVE-2026-48713

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-48713

登录查看更多情报信息。

Patches & Fixes for CVE-2026-48713 (1)

Vendor Advisories for CVE-2026-48713 (1)

IV. Related Vulnerabilities

Same product: i18next-fs-backend
Same vendor: i18next
Same weakness: CWE-1321

V. Comments for CVE-2026-48713

No comments yet

Leave a comment