critical · 9.1CVE-2026-48713Jun 25, 2026

CVE-2026-48713: i18next-fs-backend Prototype Pollution via Crafted Missing-Key String

Rohit Hatagale
AI Security Researcher, SecureLayer7

A crafted translation key containing __proto__ sent to the i18next missing-key persistence endpoint can overwrite properties on JavaScript's global Object prototype, potentially crashing the app or by

Packagei18next-fs-backend
Ecosystemnpm
Affected< 2.6.6
Fixed in2.6.6
CVE-2026-48713: i18next-fs-backend Prototype Pollution via Crafted Missing-Key String

The problem

i18next-fs-backend up to 2.6.5 splits each missing translation key on the configured keySeparator (default `.`) and walks the resulting segments into a JSON object via `getLastOfPath` in `lib/utils.js`.

That walker had no guard against prototype-poisoning segment names. A key like `__proto__.polluted` was split into `["__proto__", "polluted"]` and resolved directly onto `Object.prototype`, writing an attacker-controlled value to every object in the process. Impact ranges from application crashes and corrupted translations to configuration poisoning and bypasses of property-existence security checks.

Proof of concept

http
POST /locales/add/en/translation HTTP/1.1
Host: vulnerable-app.example
Content-Type: application/json

{"__proto__.polluted": "injected"}

The root cause (CWE-1321) is in `lib/utils.js`'s `getLastOfPath`. It iterated every dot-split segment with plain bracket notation and no denylist, so `obj["__proto__"]` returned `Object.prototype` itself, and the next segment wrote onto it.

The patch (commit 3ab0448) adds an explicit segment check: if any segment equals `__proto__`, `constructor`, or `prototype`, the entire traversal is aborted and the write is dropped silently. Normal dotted keys like `header.title` are unaffected.

The middleware-side fix in `i18next-http-middleware` 3.9.7 (CVE-2026-48714) adds a complementary pre-filter that rejects dotted payloads before they reach the backend, providing defence in depth.

The fix

Upgrade `i18next-fs-backend` to **2.6.6** (patch commit 3ab0448). Also upgrade `i18next-http-middleware` to **3.9.7** for defence-in-depth filtering.

If an immediate upgrade is not possible: mount the `missingKeyHandler` route behind authentication (or remove it), set `saveMissing: false`, or set `keySeparator: false` in i18next options to disable key splitting entirely (note: this also disables nested translation keys).

Reported by codeswhite.

References: [1][2][3][4]