The vulnerability in i18next-http-middleware (before 3.9.7) involves improper filtering of prototype-related keys in the missingKeyHandler. Although literal keys __proto__, constructor, and prototype are blocked, dotted variants like "__proto__.polluted" are not rejected. Downstream backends such as i18next-fs-backend ≤ 2.6.5 split these keys on a configured separator and use an unguarded setPath() function that writes to Object.prototype, enabling remote prototype pollution. This can lead to crashes, corrupted translations, configuration poisoning, or security bypasses depending on the host application. The issue is resolved in version 3.9.7. Mitigations for those unable to upgrade include restricting access to missingKeyHandler, filtering request bodies for prototype-related keys, and disabling missing-key persistence for untrusted input.

This vulnerability allows remote attackers to perform prototype pollution via crafted keys in the missingKeyHandler input, leading to potential crashes, corrupted translation data, configuration poisoning, or bypass of property-based security controls. The impact is high integrity and availability impact but no direct confidentiality loss is indicated.

A fix is available in i18next-http-middleware version 3.9.7. Users should upgrade to this version to fully remediate the vulnerability. If immediate upgrade is not feasible, developers should not expose missingKeyHandler to untrusted users by restricting access or removing the route. Additionally, implement request-body filtering to reject any top-level keys containing __proto__, constructor, or prototype after splitting on the configured keySeparator. Also, disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input. These mitigations reduce the risk until the official fix can be applied.