HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-48713Published Modified CNA GitHub_M

CVE-2026-48713: i18next-fs-backend: Prototype pollution via crafted missing-key string

Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys).

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Prototype pollution is a JavaScript-specific vulnerability affecting i18next-fs-backend, a file-system translation backend for the i18next internationalization library. The flaw is reachable over the network with no authentication required: an attacker sends a crafted missing-key string (for example, "__proto__.polluted") to any endpoint that forwards untrusted input to i18next with saveMissing enabled, causing the library's key-path walker to write arbitrary properties onto Object.prototype, the shared ancestor of all JavaScript objects in the process. Successful exploitation lets an attacker corrupt application state, poison configuration objects, crash the service, or bypass property-based access controls. No fix version has been published yet; HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as a fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-48713 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle i18next-fs-backend as a transitive or direct dependency.

Available
Triage

HarborGuard scores this CVE at CVSS 9.1 Critical and is capable of applying per-environment compliance policy weighting before routing findings to the appropriate team inbox inside each customer organization, so high-urgency issues surface to the right responders without manual sorting.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a corrected release. In the meantime, customers can review HarborGuard's compensating-control guidance described in the recommendation below.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the vulnerable missing-key handler over the network; any publicly or internally routable HTTP endpoint that forwards untrusted input to i18next with saveMissing enabled is exposed.

  • AuthenticationNot required

    No credentials are needed; the CVSS vector specifies PR:N, meaning any unauthenticated party who can send an HTTP request to the endpoint can trigger the vulnerability.

  • Victim interactionNot required

    No user interaction is required; the attacker sends a crafted request directly to the service without any action from a legitimate user.

  • Attack complexityDetail

    Attack complexity is Low (AC:L), meaning the exploit is reliable and condition-free: no race conditions, memory-layout dependencies, or special environmental states are required.

Blast Radius

  • An attacker writes arbitrary properties onto Object.prototype, poisoning the shared prototype chain for every JavaScript object in the running process.
  • Polluted prototype properties can override configuration values read by downstream application code, enabling configuration poisoning that affects unrelated subsystems.
  • Property-based security checks (for example, permission flags read from object properties) can be bypassed if the expected property is shadowed by a polluted prototype value.
  • The process can be crashed outright if a polluted prototype key conflicts with an internal property accessed during normal request handling, producing a Denial of Service.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published, HarborGuard monitors the i18next-fs-backend advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment version 2.6.6 or a later corrected release appears upstream. For customers with auto-remediation enabled, that rebuild triggers a regression-test run and a PR opened against affected workloads with no manual intervention. While waiting for an upstream fix, HarborGuard's policy engine can flag images containing vulnerable versions of i18next-fs-backend for compensating-control enforcement: recommended mitigations include mounting the missingKeyHandler route behind authentication so untrusted users cannot reach it, setting saveMissing: false in i18next configuration to disable missing-key persistence entirely, and setting keySeparator: false to prevent backend key splitting (note that this also disables nested translation key support, so it should be evaluated against application requirements). Network-policy isolation that restricts which services can reach the translation endpoint reduces the reachable attack surface without requiring an application code change.

See how HarborGuard automates this
Affected packages
  • i18next / i18next-fs-backend
    < 2.6.6
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
References