CVE-2026-41885: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in locize i18next-locize-backend
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites — _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2.
AI Analysis
Technical Summary
The i18next-locize-backend package versions before 9.0.2 improperly handle user-controlled input (lng, ns, projectId, version) by directly interpolating these values into URL templates without path-component validation or encoding. This flaw allows crafted inputs to alter the structure of outgoing request URLs, resulting in a path traversal vulnerability (CWE-22) and potentially improper resource access. The vulnerability affects several functions responsible for building URLs for reading, writing, and language retrieval. The issue was patched in version 9.0.2.
Potential Impact
An attacker can manipulate URL parameters to traverse directories and potentially access or modify resources outside the intended scope. The CVSS 3.1 base score is 6.5 (medium severity), indicating limited confidentiality and integrity impact without availability impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade i18next-locize-backend to version 9.0.2 or later, where this path traversal vulnerability has been fixed. Patch status is not explicitly stated beyond the version fix, but upgrading to the fixed version is the recommended remediation.
CVE-2026-41885: CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') in locize i18next-locize-backend
Description
i18next-locize-backend is a simple i18next backend for locize.com which can be used in Node.js, in the browser and for Deno. Prior to version 9.0.2, i18next-locize-backend interpolates lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL. Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites — _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding. This issue has been patched in version 9.0.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The i18next-locize-backend package versions before 9.0.2 improperly handle user-controlled input (lng, ns, projectId, version) by directly interpolating these values into URL templates without path-component validation or encoding. This flaw allows crafted inputs to alter the structure of outgoing request URLs, resulting in a path traversal vulnerability (CWE-22) and potentially improper resource access. The vulnerability affects several functions responsible for building URLs for reading, writing, and language retrieval. The issue was patched in version 9.0.2.
Potential Impact
An attacker can manipulate URL parameters to traverse directories and potentially access or modify resources outside the intended scope. The CVSS 3.1 base score is 6.5 (medium severity), indicating limited confidentiality and integrity impact without availability impact. There are no known exploits in the wild at this time.
Mitigation Recommendations
Upgrade i18next-locize-backend to version 9.0.2 or later, where this path traversal vulnerability has been fixed. Patch status is not explicitly stated beyond the version fix, but upgrading to the fixed version is the recommended remediation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-22T15:11:54.670Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe067ecbff5d8610f6729a
Added to database: 5/8/2026, 3:51:26 PM
Last enriched: 5/8/2026, 4:07:33 PM
Last updated: 5/8/2026, 5:55:29 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.