How is CVE-2026-48714 exploited?

Network reachability (required): The vulnerable missingKeyHandler endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP from a remote network location. Authentication (not-required): The CVSS vector specifies PR:N, meaning no account or credential is needed to send a malicious missing-key payload to the handler. Victim interaction (not-required): The attack is fully server-side; no user action such as clicking a link or opening a file is required to trigger prototype pollution. Attack complexity (info): Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental pre-conditions beyond reaching the endpoint.

What is the impact of CVE-2026-48714?

An attacker writes arbitrary properties onto Object.prototype, poisoning the shared prototype chain for all objects in the Node.js process. Polluted prototype properties can crash the running service by causing unexpected type errors or infinite loops in downstream code that iterates object properties. Configuration objects that inherit from Object.prototype may pick up attacker-controlled values, enabling configuration poisoning that alters application behavior globally. Property-based security checks (for example, role or permission checks that read a property from a plain object) can be bypassed when the attacker pre-sets the checked property name on the prototype.

Back to search

CRITICALCVE-2026-48714Published 2026-06-15Modified 2026-06-15CNA GitHub_M

CVE-2026-48714: i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. This issue has been fixed in version 3.9.7. If developers cannot upgrade immediately, they should do the following: do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), add a request-body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or prototype after splitting on their configured keySeparator, and disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input.

CVSS v3.1: 9.1
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a prototype pollution vulnerability in i18next-http-middleware, a Node.js middleware package used with Express and Fastify. The flaw is reachable over the network with no authentication required, and allows an unauthenticated remote attacker to write arbitrary properties onto Object.prototype by sending a crafted dotted missing-key string (for example, '__proto__.polluted') through the missingKeyHandler endpoint. Successful exploitation enables an attacker to corrupt application configuration, crash the service, or bypass property-based security checks. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment a fix version is published upstream.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds (including GitHub Advisory Database) within minutes of publication and matched against customer images in registries and CI pipelines, including custom-built images that bundle i18next-http-middleware.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.1 (Critical) and weighting it against each customer environment's compliance policy, then routing the finding to the appropriate team inbox within the customer org.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release. For customers who opt into auto-remediation, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable missingKeyHandler endpoint is exposed over the network, so the attacker must be able to reach the service via HTTP from a remote network location.
AuthenticationNot required
The CVSS vector specifies PR:N, meaning no account or credential is needed to send a malicious missing-key payload to the handler.
Victim interactionNot required
The attack is fully server-side; no user action such as clicking a link or opening a file is required to trigger prototype pollution.
Attack complexityDetail
Attack complexity is Low (AC:L), meaning the exploit is reliable and requires no special race conditions, memory layout knowledge, or environmental pre-conditions beyond reaching the endpoint.

Blast Radius

An attacker writes arbitrary properties onto Object.prototype, poisoning the shared prototype chain for all objects in the Node.js process.
Polluted prototype properties can crash the running service by causing unexpected type errors or infinite loops in downstream code that iterates object properties.
Configuration objects that inherit from Object.prototype may pick up attacker-controlled values, enabling configuration poisoning that alters application behavior globally.
Property-based security checks (for example, role or permission checks that read a property from a plain object) can be bypassed when the attacker pre-sets the checked property name on the prototype.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for this Critical-severity issue, HarborGuard continuously re-evaluates the advisory on each ingest cycle and will surface a patched-image rebuild the moment i18next-http-middleware 3.9.7 or a later remediated version is released. In the meantime, customers can act on the following compensating controls surfaced in the advisory: isolate or remove the missingKeyHandler route using network policy controls, gate the endpoint behind authentication to eliminate unauthenticated exposure, add a request-body filter ahead of the handler that rejects keys containing '__proto__', 'constructor', or 'prototype' after splitting on the configured keySeparator, and set 'saveMissing: false' for any service that accepts writes from untrusted input. For customers who opt into auto-remediation, a rebuilt image, regression test run, and PR against affected workloads will be generated automatically once the upstream patch is available.

See how HarborGuard automates this

Affected packages

i18next / i18next-http-middleware
< 3.9.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

References

Metrics

Get notified