CVE-2026-41690: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in i18next i18next-http-middleware
18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.
AI Analysis
Technical Summary
The i18next-http-middleware package for Node.js and Deno, before version 3.9.3, contains a vulnerability where unauthenticated clients can exploit two unvalidated entry points (getResourcesHandler and missingKeyHandler) to write to internal object keys, specifically polluting Object.prototype. This can lead to bypassing authorization checks (e.g., user.isAdmin returning true), type confusion denial-of-service, and potentially remote code execution if combined with vulnerable downstream code. The CVSS 3.1 score is 8.6, indicating high severity with network attack vector, no privileges required, and no user interaction needed.
Potential Impact
An attacker can remotely exploit this vulnerability without authentication to manipulate the Node.js process's Object.prototype, potentially bypassing authorization controls, causing denial-of-service through type confusion, and possibly achieving remote code execution depending on the application’s downstream code. This can compromise confidentiality, integrity, and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the affected middleware endpoints and monitor for unusual behavior related to authorization checks. Avoid using affected versions (< 3.9.3) in production environments if possible.
CVE-2026-41690: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in i18next i18next-http-middleware
Description
18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Versions prior to 3.9.3 allow an unauthenticated HTTP client to pollute Object.prototype in the Node.js process hosting the middleware, via two unvalidated entry points that reach internal object-key writes: getResourcesHandler and missingKeyHandler. This can break authorisation checks (if (user.isAdmin) returning true for any user), cause type-confusion DoS, and depending on downstream code it can be chained into RCE.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The i18next-http-middleware package for Node.js and Deno, before version 3.9.3, contains a vulnerability where unauthenticated clients can exploit two unvalidated entry points (getResourcesHandler and missingKeyHandler) to write to internal object keys, specifically polluting Object.prototype. This can lead to bypassing authorization checks (e.g., user.isAdmin returning true), type confusion denial-of-service, and potentially remote code execution if combined with vulnerable downstream code. The CVSS 3.1 score is 8.6, indicating high severity with network attack vector, no privileges required, and no user interaction needed.
Potential Impact
An attacker can remotely exploit this vulnerability without authentication to manipulate the Node.js process's Object.prototype, potentially bypassing authorization controls, causing denial-of-service through type confusion, and possibly achieving remote code execution depending on the application’s downstream code. This can compromise confidentiality, integrity, and availability of the affected system.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider restricting access to the affected middleware endpoints and monitor for unusual behavior related to authorization checks. Avoid using affected versions (< 3.9.3) in production environments if possible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T03:53:24.407Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe067ecbff5d8610f67294
Added to database: 5/8/2026, 3:51:26 PM
Last enriched: 5/8/2026, 4:06:59 PM
Last updated: 5/9/2026, 3:47:56 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.