Skip to main content

i18next-locize-backend CVE-2026-41885

| EUVDEUVD-2026-28795 MEDIUM
Path Traversal (CWE-22)
2026-05-08 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
May 08, 2026 - 17:02 EUVD
Source Code Evidence Fetched
May 08, 2026 - 16:33 vuln.today
Analysis Generated
May 08, 2026 - 16:33 vuln.today
CVE Published
May 08, 2026 - 15:41 nvd
MEDIUM 6.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 npm packages depend on i18next-locize-backend (4 direct, 2 indirect)

Ecosystem-wide dependent count for version 9.0.2.

DescriptionGitHub Advisory

i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites - _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2.

AnalysisAI

URL injection via unsanitized path parameters in i18next-locize-backend prior to 9.0.2 allows remote attackers to manipulate translation resource URLs by injecting path traversal sequences, query strings, or fragments through user-controlled lng, ns, projectId, or version parameters. When these values are exposed via query parameters, cookies, or request headers through i18next-browser-languagedetector, an attacker can redirect requests to unintended translation resources or trigger SSRF/arbitrary-file-read attacks against internal/file-scheme URLs. No public exploit code has been identified, but the vulnerability is straightforward to exploit given network-accessible backend services.

Technical ContextAI

i18next-locize-backend is a Node.js library that integrates i18next internationalization with the locize.com translation management service. It constructs HTTP URLs by interpolating user-supplied parameters (lng, ns, projectId, version) directly into URL templates (loadPath, privatePath, addPath, updatePath, getLanguagesPath) without encoding or validation. The affected interpolate() helper in lib/utils.js performs simple string substitution without RFC 3986 path-component encoding. Additionally, the pre-patch code iterates over object properties using for...in loops in the defaults() helper, exposing a secondary prototype-pollution vector where polluted Object.prototype properties could leak into URL construction. The root cause is CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), manifesting as URL structural manipulation rather than traditional filesystem traversal. The fix (version 9.0.2) introduces interpolateUrl(), isSafeUrlSegment(), and sanitizeLogValue() helpers that encode path components and exclude prototype-chain pollution.

RemediationAI

Upgrade i18next-locize-backend to version 9.0.2 or later. This release introduces proper URL-component encoding and path-traversal validation through new interpolateUrl() and isSafeUrlSegment() helpers. For applications unable to immediately upgrade, apply defense-in-depth controls: (1) Do not expose lng, ns, projectId, or version to untrusted user input via query parameters, cookies, or request headers. If i18next-browser-languagedetector is used, restrict its data sources to hardcoded application configuration rather than user-supplied parameters. (2) Validate and whitelist lng and ns values against a known-good list of supported languages and namespaces before passing them to i18next-locize-backend. This is the most effective mitigation for applications that cannot immediately patch. (3) If using custom loadPath configurations with internal or file-scheme URLs, restrict backend service network access through firewall rules or service-mesh policies to prevent SSRF attacks. The trade-off of these workarounds is operational complexity; patching is strongly preferred. Vendor advisory: https://github.com/locize/i18next-locize-backend/security/advisories/GHSA-mgcp-mfp8-3q45

CVE-2024-55591 CRITICAL POC
9.8 Jan 14

FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote

CVE-2014-7205 CRITICAL POC
10.0 Oct 08

Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t

CVE-2025-59528 CRITICAL POC
10.0 Sep 22

Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete

CVE-2017-14849 HIGH POC
7.5 Sep 28

Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc

CVE-2017-5941 CRITICAL POC
9.8 Feb 09

An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner

CVE-2014-3744 HIGH POC
7.5 Oct 23

Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi

CVE-2014-9566 HIGH POC
7.5 Mar 10

Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin

CVE-2013-4660 MEDIUM POC
6.8 Jun 28

The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic

CVE-2015-5688 MEDIUM POC
5.0 Sep 04

Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read

CVE-2026-45321 CRITICAL POC
9.6 May 12

Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio

CVE-2014-7192 CRITICAL POC
10.0 Dec 11

Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat

CVE-2013-4450 MEDIUM POC
5.0 Oct 21

The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se

Share

CVE-2026-41885 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy