Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 2 npm packages depend on i18next-fs-backend (2 direct, 0 indirect)
Ecosystem-wide dependent count for version 2.6.4.
DescriptionGitHub Advisory
i18next-fs-backend is a backend layer for i18next using in Node.js and for Deno to load translations from the filesystem. Prior to version 2.6.4, i18next-fs-backend substitutes the lng and ns options directly into the configured loadPath / addPath templates and then read / write the resulting file from disk. The interpolation is unencoded and unvalidated, so a crafted lng or ns value - containing .., a path separator, a control character, a prototype key, or simply an unexpectedly long string - allows an attacker who can influence either value to read or overwrite files outside the intended locale directory. When lng / ns are derived from untrusted input (request-scoped i18next instances behind an HTTP layer such as i18next-http-middleware, or any framework that lets the end user pick the language via query string, cookie, or header), a single request such as ?lng=../../../../etc/passwd causes the backend to attempt to read that path. This issue has been patched in version 2.6.4.
AnalysisAI
Path traversal in i18next-fs-backend allows remote unauthenticated attackers to read arbitrary files (including /etc/passwd) or overwrite application files when language/namespace parameters derive from user input. Applications exposing i18next language detection via query strings, cookies, or headers (common with i18next-http-middleware or i18next-browser-languagedetector) are vulnerable to immediate exploitation with zero authentication (CVSS AV:N/AC:L/PR:N/UI:N). GitHub security advisory confirms the vulnerability with proof-of-concept parameter ?lng=../../../../etc/passwd. Fixed in version 2.6.4; vulnerable versions also support eval-based .js/.ts locale loading, creating a code execution chain when traversal targets executable files.
Technical ContextAI
i18next-fs-backend is a Node.js/Deno filesystem persistence layer for the i18next internationalization framework (npm package i18next-fs-backend, CPE 2.3:a:i18next:i18next-fs-backend). The backend interpolates caller-supplied lng (language code) and ns (namespace) parameters directly into loadPath and addPath template strings (e.g., /locales/{{lng}}/{{ns}}.json) without path sanitization or traversal prevention. The interpolate helper in lib/utils.js performs raw string substitution with no encoding-unlike i18next-http-backend's addQueryString which validates URL components. CWE-73 (External Control of File Name or Path) is the root cause: attacker-controlled input dictates filesystem operations. The vulnerability surfaces in three call sites: read() (line 38, loads translation files), removeFile() (line 101), and writeFile() (line 127, for missing-key persistence). When applications use i18next-http-middleware or i18next-browser-languagedetector-which automatically populate lng from ?lng= query parameters, Accept-Language headers, or cookies-the file path becomes fully attacker-controlled with a single HTTP request.
RemediationAI
Upgrade i18next-fs-backend to version 2.6.4 or later immediately. The patch introduces path-component validation in lib/utils.js interpolate() to reject traversal sequences (..), absolute paths, and path separators in lng/ns values before filesystem operations. Install via npm: npm install i18next-fs-backend@2.6.4 or yarn add i18next-fs-backend@2.6.4. Vendor advisory and patch details available at https://github.com/i18next/i18next-fs-backend/security/advisories/GHSA-8847-338w-5hcj. If immediate upgrade is not feasible, implement application-layer input validation: whitelist lng to ISO 639-1 two-letter codes (^[a-z]{2}(-[A-Z]{2})?$) and ns to alphanumeric namespace identifiers (^[a-zA-Z0-9_-]+$) before passing to i18next. This validation must occur before the i18next.changeLanguage() or i18next.t() call-framework-provided language detection middleware alone does not sanitize. Side effect of strict whitelisting: non-standard locale codes (e.g., zh-Hans-CN with multiple hyphens) may be rejected; adjust regex to business requirements while blocking . and / characters. Do not rely on chroot or filesystem permissions as primary mitigation-the writeFile code path can still corrupt application files within the accessible directory tree.
FortiOS and FortiProxy contain an authentication bypass via the Node.js websocket module allowing unauthenticated remote
Eval injection vulnerability in the internals.batch function in lib/batch.js in the bassmaster plugin before 1.5.2 for t
Flowise version 3.0.5 contains a remote code execution vulnerability in the CustomMCP node. The mcpServerConfig paramete
Node.js 8.5.0 before 8.6.0 allows remote attackers to access unintended files, because a change to ".." handling was inc
An issue was discovered in the node-serialize package 0.0.4 for Node.js. Rated critical severity (CVSS 9.8), this vulner
Directory traversal vulnerability in the st module before 0.2.5 for Node.js allows remote attackers to read arbitrary fi
Multiple SQL injection vulnerabilities in the Manage Accounts page in the AccountManagement.asmx service in the Solarwin
The JS-YAML module before 2.0.5 for Node.js parses input without properly considering the unsafe !!js/function tag, whic
Directory traversal vulnerability in lib/app/index.js in Geddy before 13.0.8 for Node.js allows remote attackers to read
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Eval injection vulnerability in index.js in the syntax-error package before 1.1.1 for Node.js 0.10.x, as used in IBM Rat
The HTTP server in Node.js 0.10.x before 0.10.21 and 0.8.x before 0.8.26 allows remote attackers to cause a denial of se
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28793