HIGHCVE-2026-42353Published 2026-05-08Modified 2026-05-08CNA GitHub_M

CVE-2026-42353: Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.

CVSS v3.1: 8.2
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

i18next / i18next-http-middleware
< 3.9.3

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

References

https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m

Metrics