The vulnerability in i18next-http-backend (< 3.0.5) involves improper limitation of a pathname to a restricted directory (CWE-22) and broader URL-structure injection (CWE-74). The library interpolates user-controlled lng and ns parameters directly into loadPath/addPath URL templates without encoding or validation. Since i18next-browser-languagedetector exposes these parameters to user input by default, attackers can inject path traversal sequences or other URL manipulation characters. This can alter the outgoing request URL, potentially leading to unauthorized resource access. The issue is resolved in version 3.0.5 by applying the interpolateUrl sanitization fix. As a workaround, input sanitization (removing '..', '/', '\', '?', '#', '%', whitespace, control characters, and limiting length) before passing values to i18next is recommended.

The vulnerability allows an attacker to manipulate the URL used by i18next-http-backend to load resources by injecting path traversal or URL-structure altering characters via language or namespace parameters. This can lead to unauthorized access to resources outside the intended directories, potentially exposing sensitive data or causing unintended behavior. The CVSS score of 6.5 (medium severity) reflects the network attack vector with no privileges or user interaction required, and impacts confidentiality and integrity but not availability. No known exploits in the wild have been reported.

A fix is available in i18next-http-backend version 3.0.5, which includes proper sanitization of user-controlled parameters. Users should upgrade to version 3.0.5 or later to fully remediate the vulnerability. If immediate upgrade is not possible, users should sanitize the lng and ns input values before they reach i18next by stripping characters such as '..', '/', '\', '?', '#', '%', whitespace, and control characters, and by limiting the input length. This workaround reduces the risk until the official fix can be applied.