Skip to main content

i18next-http-middleware CVE-2026-41683

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-04-22 https://github.com/i18next/i18next-http-middleware GHSA-c3h8-g69v-pjrg
8.6
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.6 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
High
Availability
Low

Lifecycle Timeline

4
Analysis Generated
Apr 23, 2026 - 06:51 vuln.today
Analysis Generated
Apr 22, 2026 - 20:31 vuln.today
Patch released
Apr 22, 2026 - 20:31 nvd
Patch available
CVE Published
Apr 22, 2026 - 20:25 nvd
HIGH 8.6

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 npm packages depend on i18next-http-middleware (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.9.3.

DescriptionGitHub Advisory

Summary

Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim.

Impact

Two concrete outcomes depending on the Node.js version:

  • Node.js < 14.6.0 - HTTP response splitting. An attacker crafting a request like GET /?lng=en%0d%0aX-Injected%3A+malicious could inject arbitrary additional HTTP response headers, enabling:
  • Session fixation via an injected Set-Cookie
  • Cache poisoning (injecting Location, Content-Type, etc.)
  • Reflected XSS in controlled response bodies
  • Node.js ≥ 14.6.0 - denial of service. res.setHeader() throws ERR_INVALID_CHAR when the value contains CRLF. Because the middleware did not catch this error, it propagated as an unhandled exception, returning a 500 response to all concurrent users sharing that process (in worker-pool deployments this can knock out a full server instance).

The same header-setting code path fires inside the languageChanged event listener and again in the main middleware flow, so the flaw was triggered at least twice per affected request.

Related (same release)

Version 3.9.3 also tightens the hasXSS() regex that was designed as a secondary filter on detected language values. The previous pattern /<\s*\w+\s*on\w+\s*=.*?>/i only matched event handlers in the first attribute position, so payloads like <input autofocus onfocus=alert(1)> bypassed the filter. Applications that rendered res.locals.language into HTML with a context-unsafe templating mode (EJS <%- %>, Pug !{…}, Handlebars {{{…}}}) could be XSSed despite the filter being in place. This bypass is noted here because it is fixed in the same release, but the primary vulnerability reported in this advisory is the CRLF/header-injection path above.

Affected versions

< 3.9.3.

Patch

Fixed in 3.9.3. The patch introduces utils.sanitizeHeaderValue(str) which strips \r, \n, and other C0/C1 control characters, and replaces both utils.escape(lng) call sites in lib/index.js with it. The hasXSS() regex has also been tightened to match event-handler attributes at any position.

Workarounds

No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects \r/\n in query parameters, cookies, and path segments is a partial mitigation.

Credits

Discovered via an internal security audit of the i18next ecosystem.

AnalysisAI

HTTP response splitting and denial-of-service in i18next-http-middleware < 3.9.3 allows remote unauthenticated attackers to inject arbitrary HTTP headers or crash Node.js processes via CRLF sequences in the lng parameter. On Node.js < 14.6.0, attackers achieve response splitting enabling session fixation, cache poisoning, and reflected XSS. On Node.js ≥ 14.6.0, malformed headers trigger unhandled ERR_INVALID_CHAR exceptions, returning 500 errors to all concurrent users sharing the affected process. Vendor-released patch available in version 3.9.3. No public exploit identified at time of analysis, though exploitation is trivial given the attack vector (simple query parameter manipulation).

Technical ContextAI

The vulnerability exists in i18next-http-middleware's language detection and header-setting mechanism. When used with older i18next versions (< 19.5.0), the LanguageDetector module's backward-compatibility fallback passes raw user-controlled language values through utils.escape(), an HTML entity encoder that does not sanitize CRLF characters (\r\n). These unsanitized values flow directly into res.setHeader('Content-Language', ...), executed both in the languageChanged event listener and the main middleware flow. The root cause maps to CWE-79 (Improper Neutralization of Input During Web Page Generation), though the primary impact manifests as HTTP header injection rather than traditional XSS. The flaw represents a classic example of using the wrong sanitization primitive-HTML encoding does not provide protection against HTTP header injection attacks, which require removal or encoding of control characters per RFC 7230. The vulnerability also exposed a secondary XSS filter bypass in hasXSS() that failed to detect event handlers beyond the first attribute position, affecting applications rendering res.locals.language with unescaped templating modes.

RemediationAI

Upgrade i18next-http-middleware to version 3.9.3 or later immediately. This release introduces utils.sanitizeHeaderValue() which strips carriage return, line feed, and all C0/C1 control characters before passing language values to res.setHeader(), eliminating both the response-splitting and DoS vectors. The patch also tightens the hasXSS() regex to detect event-handler attributes at any position, closing the secondary XSS filter bypass. Review package.json and lock files to ensure the upgrade propagates through all dependency trees-check both direct dependencies and transitive pulls via other i18next ecosystem packages. Update command: npm install i18next-http-middleware@3.9.3 or yarn upgrade i18next-http-middleware@3.9.3. After upgrading, validate that custom language detection logic (if any) does not reintroduce raw user input into response headers. As a temporary mitigation for systems where immediate upgrades are infeasible, deploy a WAF rule or reverse-proxy filter (nginx, Cloudflare WAF) to reject HTTP requests containing \r (percent-encoded as %0D) or \n (%0A) in query parameters, cookies, request paths, and Accept-Language headers-note this is a partial defense that may break legitimate use cases involving encoded content and does not address the DoS vector on Node.js ≥ 14.6.0. Consider adding process-level error handlers (process.on('uncaughtException')) as a stop-gap to prevent full process crashes, though this introduces complexity around graceful shutdown and may mask other bugs. No workaround fully closes the vulnerability; upgrading is the only complete remediation.

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-41683 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy