CVE-2026-48713: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in i18next i18next-fs-backend
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys).
AI Analysis
Technical Summary
CVE-2026-48713 is a prototype pollution vulnerability in i18next-fs-backend affecting versions before 2.6.6. The vulnerability is triggered via crafted missing-key strings that are split on the default keySeparator ('.') and passed to an internal path walker that does not validate unsafe segments. This allows an attacker to write arbitrary properties onto Object.prototype by using keys like "__proto__.polluted". The vulnerability impacts applications exposing the missingKeyHandler or similar routes to untrusted users with saveMissing enabled and default keySeparator behavior. The issue has been fixed in version 2.6.6. Until upgrading, mitigations include restricting access to missingKeyHandler, disabling missing-key persistence for untrusted input, or disabling key splitting by setting keySeparator to false.
Potential Impact
Exploitation allows attackers to modify the global Object prototype, potentially causing application crashes, corrupted translation data, configuration poisoning, or bypassing security checks based on object properties. The impact depends on the host application's exposure of missing-key persistence to untrusted input and use of default keySeparator splitting. This vulnerability has a CVSS score of 9.1 (critical), indicating high severity with network attack vector, no privileges required, no user interaction, and high impact on integrity and availability.
Mitigation Recommendations
A fix is available in i18next-fs-backend version 2.6.6. Users should upgrade to this version to remediate the vulnerability. If immediate upgrade is not possible, mitigate by ensuring the missingKeyHandler or equivalent routes are not exposed to untrusted users (e.g., restrict access via authentication), disable missing-key persistence by setting saveMissing to false or removing backend.create implementations when accepting untrusted input, and set keySeparator to false to disable backend key splitting (noting this disables nested translation keys).
CVE-2026-48713: CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') in i18next i18next-fs-backend
Description
Versions prior to 2.6.6 are vulnerable to prototype pollution via crafted missing-key strings when used to persist missing translation keys (e.g. via i18next-http-middleware's missingKeyHandler exposed to untrusted input). Backend.writeFile() splits each queued missing-key string on the configured keySeparator (default .) before calling the internal setPath() walker. The walker (getLastOfPath in lib/utils.js) did not guard against unsafe segments, so a key like "__proto__.polluted" was split into ["__proto__", "polluted"] and walked straight into Object.prototype, allowing an attacker to write arbitrary properties onto the global object prototype. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Applications are affected only if the missingKeyHandler (or another route that forwards untrusted request bodies to i18next.t(..., { ... }) with saveMissing: true) is reachable by untrusted users and the default behaviour of splitting missing-key strings on keySeparator is in use (i.e. keySeparator is not false). Apps that do not expose missing-key persistence to untrusted input are not directly affected through this attack path. This issue has been fixed in version 2.6.6. If developers using the library are unable to upgrade immediately, they should take the following precautions: do not expose i18next-http-middleware's missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), disable missing-key persistence (saveMissing: false, or no backend.create implementation) when accepting writes from untrusted input, and set keySeparator: false in their i18next options to disable backend key splitting (note: this also disables nested translation keys).
CVSS v3.1
Score 9.1critical
Affected software
pkg:npm/i18next/i18next-fs-backendRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-48713 is a prototype pollution vulnerability in i18next-fs-backend affecting versions before 2.6.6. The vulnerability is triggered via crafted missing-key strings that are split on the default keySeparator ('.') and passed to an internal path walker that does not validate unsafe segments. This allows an attacker to write arbitrary properties onto Object.prototype by using keys like "__proto__.polluted". The vulnerability impacts applications exposing the missingKeyHandler or similar routes to untrusted users with saveMissing enabled and default keySeparator behavior. The issue has been fixed in version 2.6.6. Until upgrading, mitigations include restricting access to missingKeyHandler, disabling missing-key persistence for untrusted input, or disabling key splitting by setting keySeparator to false.
Potential Impact
Exploitation allows attackers to modify the global Object prototype, potentially causing application crashes, corrupted translation data, configuration poisoning, or bypassing security checks based on object properties. The impact depends on the host application's exposure of missing-key persistence to untrusted input and use of default keySeparator splitting. This vulnerability has a CVSS score of 9.1 (critical), indicating high severity with network attack vector, no privileges required, no user interaction, and high impact on integrity and availability.
Mitigation Recommendations
A fix is available in i18next-fs-backend version 2.6.6. Users should upgrade to this version to remediate the vulnerability. If immediate upgrade is not possible, mitigate by ensuring the missingKeyHandler or equivalent routes are not exposed to untrusted users (e.g., restrict access via authentication), disable missing-key persistence by setting saveMissing to false or removing backend.create implementations when accepting untrusted input, and set keySeparator to false to disable backend key splitting (noting this disables nested translation keys).
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-22T18:47:27.755Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a30726b0b89be6888a31adc
Added to database: 6/15/2026, 9:45:15 PM
Last enriched: 6/15/2026, 10:00:25 PM
Last updated: 6/20/2026, 6:47:22 AM
Views: 42
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.