Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 6 npm packages depend on i18next-locize-backend (4 direct, 2 indirect)
Ecosystem-wide dependent count for version 9.0.2.
DescriptionGitHub Advisory
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites - _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2.
AnalysisAI
URL injection via unsanitized path parameters in i18next-locize-backend prior to 9.0.2 allows remote attackers to manipulate translation resource URLs by injecting path traversal sequences, query strings, or fragments through user-controlled lng, ns, projectId, or version parameters. When these values are exposed via query parameters, cookies, or request headers through i18next-browser-languagedetector, an attacker can redirect requests to unintended translation resources or trigger SSRF/arbitrary-file-read attacks against internal/file-scheme URLs. No public exploit code has been identified, but the vulnerability is straightforward to exploit given network-accessible backend services.
Technical ContextAI
i18next-locize-backend is a Node.js library that integrates i18next internationalization with the locize.com translation management service. It constructs HTTP URLs by interpolating user-supplied parameters (lng, ns, projectId, version) directly into URL templates (loadPath, privatePath, addPath, updatePath, getLanguagesPath) without encoding or validation. The affected interpolate() helper in lib/utils.js performs simple string substitution without RFC 3986 path-component encoding. Additionally, the pre-patch code iterates over object properties using for...in loops in the defaults() helper, exposing a secondary prototype-pollution vector where polluted Object.prototype properties could leak into URL construction. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), manifesting as URL structural manipulation rather than traditional filesystem traversal. The fix (version 9.0.2) introduces interpolateUrl(), isSafeUrlSegment(), and sanitizeLogValue() helpers that encode path components and exclude prototype-chain pollution.
RemediationAI
Upgrade i18next-locize-backend to version 9.0.2 or later. This release introduces proper URL-component encoding and path-traversal validation through new interpolateUrl() and isSafeUrlSegment() helpers. For applications unable to immediately upgrade, apply defense-in-depth controls: (1) Do not expose lng, ns, projectId, or version to untrusted user input via query parameters, cookies, or request headers. If i18next-browser-languagedetector is used, restrict its data sources to hardcoded application configuration rather than user-supplied parameters. (2) Validate and whitelist lng and ns values against a known-good list of supported languages and namespaces before passing them to i18next-locize-backend. This is the most effective mitigation for applications that cannot immediately patch. (3) If using custom loadPath configurations with internal or file-scheme URLs, restrict backend service network access through firewall rules or service-mesh policies to prevent SSRF attacks. The trade-off of these workarounds is operational complexity; patching is strongly preferred. Vendor advisory: https://github.com/locize/i18next-locize-backend/security/advisories/GHSA-mgcp-mfp8-3q45
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-22 – Path Traversal
View allSame technique Path Traversal
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28795