Listen to this Post
How CVE-2026-48713 Works
i18next-fs-backend is a backend layer for i18next that loads translations from the filesystem in Node.js and Deno. Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys.
The vulnerability exists in the `Backend.writeFile()` function, which processes missing translation keys that need to be persisted. When a missing key is encountered, the function splits the key string on the configured `keySeparator` (default is .) before calling the internal `setPath()` walker. This walker, implemented as `getLastOfPath` in lib/utils.js, traverses the object path to write the value.
The critical flaw is that the walker did not guard against unsafe segments. An attacker can craft a missing-key string like "__proto__.polluted", which gets split into `[“__proto__”, “polluted”]` and walked straight into Object.prototype. This allows the attacker to write arbitrary properties onto the global object prototype.
The attack chain requires three conditions: (1) i18next-fs-backend ≤ 2.6.5 is configured as the backend, (2) i18next-http-middleware’s `missingKeyHandler` (or another route forwarding untrusted input to `i18next.t()` with saveMissing: true) is reachable by untrusted users, and (3) the default `keySeparator` splitting behavior is in use (i.e., `keySeparator` is not false).
The companion vulnerability CVE-2026-48714 affects i18next-http-middleware versions prior to 3.9.7, where the `missingKeyHandler` blocked literal keys like `__proto__` but failed to reject dotted variants such as "__proto__.polluted".
Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks.
DailyCVE Form:
Platform: Node.js / Deno
Version: ≤ 2.6.5
Vulnerability: Prototype Pollution
Severity: Critical (CVSS 9.1)
date: 2026-06-15
Prediction: 2026-06-16
What Undercode Say
Analytics:
Check i18next-fs-backend version npm list i18next-fs-backend Check i18next-http-middleware version npm list i18next-http-middleware Audit for prototype pollution vulnerabilities npm audit | grep -i prototype
Exploit:
// Crafted missing-key payload sent via missingKeyHandler
// POST /missing-key-endpoint
{
"key": "<strong>proto</strong>.polluted",
"value": "attacker-controlled"
}
// The key is split on '.' -> ["<strong>proto</strong>", "polluted"]
// Walked into Object.prototype, setting Object.prototype.polluted
Example curl exploit against exposed missingKeyHandler
curl -X POST https://target.com/i18next/missing \
-H "Content-Type: application/json" \
-d '{"key":"<strong>proto</strong>.isAdmin","value":true}'
Protection:
// Upgrade to patched versions npm install [email protected] npm install [email protected] // Workaround: Disable keySeparator i18next.init({ keySeparator: false // Note: disables nested translation keys }); // Workaround: Disable missing-key persistence i18next.init({ saveMissing: false // Prevents writing missing keys }); // Workaround: Filter request body before missingKeyHandler app.use('/i18next/missing', (req, res, next) => { const unsafe = ['<strong>proto</strong>', 'constructor', 'prototype']; if (unsafe.some(k => req.body.key?.includes(k))) { return res.status(400).send('Invalid key'); } next(); });
Impact:
- Remote prototype pollution allowing attackers to write arbitrary properties onto `Object.prototype`
– Potential application crashes due to unexpected prototype mutations - Corrupted translation behaviour affecting all users
- Configuration poisoning that may alter application behaviour
- Bypass of property-based security checks (e.g., `if (user.isAdmin)` checks)
- Chained exploitation with other vulnerabilities for increased impact
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
