EUVD-2026-37006Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Network-reachable and unauthenticated, but AC:H because exploitation requires a vulnerable downstream backend (i18next-fs-backend ≤ 2.6.5) and an exposed missingKeyHandler with saveMissing enabled; no confidentiality impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys __proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. This issue has been fixed in version 3.9.7. If developers cannot upgrade immediately, they should do the following: do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), add a request-body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or prototype after splitting on their configured keySeparator, and disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input.
Articles & Coverage 1
AnalysisAI
Remote prototype pollution in i18next-http-middleware before 3.9.7 allows unauthenticated attackers to write to Object.prototype by submitting dotted request-body keys such as '__proto__.polluted' to the missingKeyHandler. The 3.9.3 denylist blocked only literal unsafe keys; downstream backends (notably i18next-fs-backend ≤ 2.6.5) that split missing-key strings on the configured keySeparator then walked these segments into an unguarded setPath(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the application (1) mounts i18next-http-middleware's missingKeyHandler on an HTTP route reachable by the attacker without authentication, (2) configures i18next with saveMissing enabled, (3) uses a downstream backend that splits the missing-key string on the configured keySeparator before persisting - explicitly i18next-fs-backend ≤ 2.6.5, with the advisory noting other split-and-persist backends may behave the same way, and (4) leaves keySeparator at a non-false value (default '.'), since keySeparator=false disables segment splitting and reduces the issue to the already-blocked literal-key case. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 3.1 base of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H) reflects unauthenticated network-reachable prototype pollution with high integrity and availability impact and no confidentiality impact - consistent with the description, since the primary outcomes are crashes, corrupted translations, configuration poisoning, and bypassed property-based security checks rather than data disclosure. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker sends an HTTP POST to an Express or Fastify app that mounts i18next-http-middleware's missingKeyHandler at a public route, with a JSON body like {"__proto__.polluted": "PWNED"}. The middleware's literal-key denylist lets the dotted key through; i18next-fs-backend ≤ 2.6.5 splits it on '.' and writes to Object.prototype, after which every plain object in the process inherits a 'polluted' property - enabling crashes, corrupted translation output, configuration poisoning, or bypasses of code that checks properties such as isAdmin via 'in' or hasOwnProperty fallthrough. … |
| Remediation | Vendor-released patch: upgrade i18next-http-middleware to 3.9.7, which adds utils.hasUnsafeKeySegment() and rejects any key whose segments under the configured keySeparator contain __proto__, constructor, or prototype; pair this with upgrading i18next-fs-backend to 2.6.6 to remove the root-cause setPath() walk. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify and inventory all applications using i18next-http-middleware and i18next-fs-backend (≤2.6.5); document whether instances are exposed to untrusted networks. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Prototype pollution in jsonata-js (all versions up to 2.2.0) allows remote unauthenticated attackers to inject arbitrary
Prototype pollution in RubyLouvre Avalon's Template Filter Handler (src/filters/index.js) allows remote unauthenticated
Prototype pollution in i18next-fs-backend versions prior to 2.6.6 allows remote attackers to write arbitrary properties
Prototype pollution in ApostropheCMS versions up to and including 4.30.0 allows an authenticated editor to poison Object
Denial of service in n8n workflow automation platform versions prior to 2.24.0 allows authenticated users with workflow
Share
External POC / Exploit Code
Leaving vuln.today