Severity by source
AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:L
Lifecycle Timeline
4Blast Radius
ecosystem impact- 2 npm packages depend on locize (1 direct, 1 indirect)
Ecosystem-wide dependent count for version 4.0.21.
DescriptionGitHub Advisory
locize is a localization platform that connects code and i18n setup. Prior to version 4.0.21, the locize client SDK registers a window.addEventListener("message", …) handler that dispatches to registered internal handlers (editKey, commitKey, commitKeys, isLocizeEnabled, requestInitialize, …) without validating event.origin. The pre-patch listener in src/api/postMessage.js gates dispatch on event.data.sender === "i18next-editor-frame" - that value sits inside the attacker-controlled message payload, not the browser-enforced origin. Any web page that could embed or be embedded by a locize-enabled host - an iframe on a third-party page, a window.open-ed victim, a parent frame reaching down - could send a crafted postMessage and trigger the internal handlers. This issue has been patched in version 4.0.21.
AnalysisAI
Cross-origin DOM XSS and handler hijacking in the locize client SDK (browser module) allows remote attackers to execute arbitrary JavaScript, steal translation content, and manipulate the InContext editor UI. Attackers exploit missing postMessage origin validation by crafting messages from any embedded iframe, opened window, or parent frame that shares a window reference with a locize-enabled page. The vulnerability affects all versions prior to 4.0.21, with the vendor confirming exploitation through multiple handler paths (editKey, commitKeys, isLocizeEnabled, requestPopupChanges). No public exploit identified at time of analysis, though the GitHub security advisory provides detailed exploitation vectors including innerHTML injection, attribute-based XSS (onclick, href="javascript:"), and API endpoint hijacking to intercept translation data.
Technical ContextAI
The locize SDK is a browser-based JavaScript client for the locize localization platform's InContext editor feature, enabling live translation editing within web applications. The vulnerability stems from an insecure postMessage event listener in src/api/postMessage.js that validates event.data.sender (attacker-controlled payload data) instead of event.origin (browser-enforced source). This violates the Web Messaging API security model where origin validation is mandatory to prevent cross-origin attacks. The CWE-79 classification (Improper Neutralization of Input During Web Page Generation) applies because multiple handlers (editKey, commitKeys, requestPopupChanges) directly assign attacker-controlled payload values to DOM properties (innerHTML, setAttribute, style.setProperty) without sanitization. The affected component is the npm package 'locize' identified by CPE cpe:2.3:a:locize:locize:*:*:*:*:*:*:*:*, specifically versions below 4.0.21. The postMessage listener registers globally on window load, creating a persistent attack surface for any cross-origin context that can establish a window reference relationship.
RemediationAI
Upgrade the locize npm package to version 4.0.21 or later immediately using npm update locize or yarn upgrade locize, as documented in the release notes at https://github.com/locize/locize/releases/tag/v4.0.21. The patch commit d006b75fadb8e8ab77b023e462850fc6e9170735 (https://github.com/locize/locize/commit/d006b75fadb8e8ab77b023e462850fc6e9170735) implements mandatory event.origin validation against an allowlist of trusted editor origins before dispatching to internal handlers, blocking cross-origin postMessage attacks. If immediate upgrade is not feasible, implement defense-in-depth controls: (1) deploy Content Security Policy headers with script-src directives that block inline script execution and restrict script sources to trusted domains, mitigating XSS impact even if innerHTML injection occurs (trade-off: may break legitimate inline scripts in the application); (2) avoid embedding untrusted third-party content in iframes on pages that load the locize SDK, and validate all window.open calls to prevent establishing attacker-controlled window references (trade-off: limits certain integration patterns); (3) disable the InContext editor feature in production environments if not actively used for translation workflows, reducing the attack surface (trade-off: loses live editing capability). Note that CSP alone does not prevent API hijacking via isLocizeEnabled handler - upgrading to 4.0.21 is the only complete fix. Review application logs for unexpected postMessage activity patterns and audit translation content for injected scripts as forensic measures.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28796