i18next-http-middleware CVE-2026-41683
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 npm packages depend on i18next-http-middleware (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 3.9.3.
DescriptionGitHub Advisory
Summary
Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim.
Impact
Two concrete outcomes depending on the Node.js version:
- Node.js < 14.6.0 - HTTP response splitting. An attacker crafting a request like
GET /?lng=en%0d%0aX-Injected%3A+maliciouscould inject arbitrary additional HTTP response headers, enabling: - Session fixation via an injected
Set-Cookie - Cache poisoning (injecting
Location,Content-Type, etc.) - Reflected XSS in controlled response bodies
- Node.js ≥ 14.6.0 - denial of service.
res.setHeader()throwsERR_INVALID_CHARwhen the value contains CRLF. Because the middleware did not catch this error, it propagated as an unhandled exception, returning a 500 response to all concurrent users sharing that process (in worker-pool deployments this can knock out a full server instance).
The same header-setting code path fires inside the languageChanged event listener and again in the main middleware flow, so the flaw was triggered at least twice per affected request.
Related (same release)
Version 3.9.3 also tightens the hasXSS() regex that was designed as a secondary filter on detected language values. The previous pattern /<\s*\w+\s*on\w+\s*=.*?>/i only matched event handlers in the first attribute position, so payloads like <input autofocus onfocus=alert(1)> bypassed the filter. Applications that rendered res.locals.language into HTML with a context-unsafe templating mode (EJS <%- %>, Pug !{…}, Handlebars {{{…}}}) could be XSSed despite the filter being in place. This bypass is noted here because it is fixed in the same release, but the primary vulnerability reported in this advisory is the CRLF/header-injection path above.
Affected versions
< 3.9.3.
Patch
Fixed in 3.9.3. The patch introduces utils.sanitizeHeaderValue(str) which strips \r, \n, and other C0/C1 control characters, and replaces both utils.escape(lng) call sites in lib/index.js with it. The hasXSS() regex has also been tightened to match event-handler attributes at any position.
Workarounds
No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects \r/\n in query parameters, cookies, and path segments is a partial mitigation.
Credits
Discovered via an internal security audit of the i18next ecosystem.
AnalysisAI
HTTP response splitting and denial-of-service in i18next-http-middleware < 3.9.3 allows remote unauthenticated attackers to inject arbitrary HTTP headers or crash Node.js processes via CRLF sequences in the lng parameter. On Node.js < 14.6.0, attackers achieve response splitting enabling session fixation, cache poisoning, and reflected XSS. On Node.js ≥ 14.6.0, malformed headers trigger unhandled ERR_INVALID_CHAR exceptions, returning 500 errors to all concurrent users sharing the affected process. Vendor-released patch available in version 3.9.3. No public exploit identified at time of analysis, though exploitation is trivial given the attack vector (simple query parameter manipulation).
Technical ContextAI
The vulnerability exists in i18next-http-middleware's language detection and header-setting mechanism. When used with older i18next versions (< 19.5.0), the LanguageDetector module's backward-compatibility fallback passes raw user-controlled language values through utils.escape(), an HTML entity encoder that does not sanitize CRLF characters (\r\n). These unsanitized values flow directly into res.setHeader('Content-Language', ...), executed both in the languageChanged event listener and the main middleware flow. The root cause maps to CWE-79 (Improper Neutralization of Input During Web Page Generation), though the primary impact manifests as HTTP header injection rather than traditional XSS. The flaw represents a classic example of using the wrong sanitization primitive-HTML encoding does not provide protection against HTTP header injection attacks, which require removal or encoding of control characters per RFC 7230. The vulnerability also exposed a secondary XSS filter bypass in hasXSS() that failed to detect event handlers beyond the first attribute position, affecting applications rendering res.locals.language with unescaped templating modes.
RemediationAI
Upgrade i18next-http-middleware to version 3.9.3 or later immediately. This release introduces utils.sanitizeHeaderValue() which strips carriage return, line feed, and all C0/C1 control characters before passing language values to res.setHeader(), eliminating both the response-splitting and DoS vectors. The patch also tightens the hasXSS() regex to detect event-handler attributes at any position, closing the secondary XSS filter bypass. Review package.json and lock files to ensure the upgrade propagates through all dependency trees-check both direct dependencies and transitive pulls via other i18next ecosystem packages. Update command: npm install i18next-http-middleware@3.9.3 or yarn upgrade i18next-http-middleware@3.9.3. After upgrading, validate that custom language detection logic (if any) does not reintroduce raw user input into response headers. As a temporary mitigation for systems where immediate upgrades are infeasible, deploy a WAF rule or reverse-proxy filter (nginx, Cloudflare WAF) to reject HTTP requests containing \r (percent-encoded as %0D) or \n (%0A) in query parameters, cookies, request paths, and Accept-Language headers-note this is a partial defense that may break legitimate use cases involving encoded content and does not address the DoS vector on Node.js ≥ 14.6.0. Consider adding process-level error handlers (process.on('uncaughtException')) as a stop-gap to prevent full process crashes, though this introduces complexity around graceful shutdown and may mask other bugs. No workaround fully closes the vulnerability; upgrading is the only complete remediation.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-c3h8-g69v-pjrg