CVE-2026-48713: i18next-fs-backend Prototype Pollution via Crafted Missing-Key String
A crafted translation key containing __proto__ sent to the i18next missing-key persistence endpoint can overwrite properties on JavaScript's global Object prototype, potentially crashing the app or by

The problem
i18next-fs-backend up to 2.6.5 splits each missing translation key on the configured keySeparator (default `.`) and walks the resulting segments into a JSON object via `getLastOfPath` in `lib/utils.js`.
That walker had no guard against prototype-poisoning segment names. A key like `__proto__.polluted` was split into `["__proto__", "polluted"]` and resolved directly onto `Object.prototype`, writing an attacker-controlled value to every object in the process. Impact ranges from application crashes and corrupted translations to configuration poisoning and bypasses of property-existence security checks.
Proof of concept
A working proof-of-concept for CVE-2026-48713 in i18next-fs-backend, with the exact payload below.
POST /locales/add/en/translation HTTP/1.1
Host: vulnerable-app.example
Content-Type: application/json
{"__proto__.polluted": "injected"}The root cause (CWE-1321) is in `lib/utils.js`'s `getLastOfPath`. It iterated every dot-split segment with plain bracket notation and no denylist, so `obj["__proto__"]` returned `Object.prototype` itself, and the next segment wrote onto it.
The patch (commit 3ab0448) adds an explicit segment check: if any segment equals `__proto__`, `constructor`, or `prototype`, the entire traversal is aborted and the write is dropped silently. Normal dotted keys like `header.title` are unaffected.
The middleware-side fix in `i18next-http-middleware` 3.9.7 (CVE-2026-48714) adds a complementary pre-filter that rejects dotted payloads before they reach the backend, providing defence in depth.
The fix
Upgrade `i18next-fs-backend` to **2.6.6** (patch commit 3ab0448). Also upgrade `i18next-http-middleware` to **3.9.7** for defence-in-depth filtering.
If an immediate upgrade is not possible: mount the `missingKeyHandler` route behind authentication (or remove it), set `saveMissing: false`, or set `keySeparator: false` in i18next options to disable key splitting entirely (note: this also disables nested translation keys).
Reported by codeswhite.
Related research
- critical · 9.9CVE-2026-49252CVE-2026-49252: @deepstream/server Prototype Pollution via Record Path
- critical · 9.1CVE-2026-48714CVE-2026-48714: i18next-http-middleware Prototype Pollution via Dotted Missing-Key
- high · 8.8CVE-2026-54504CVE-2026-54504: @andrea9293/mcp-documentation-server Unauthenticated Network API Exposure
- high · 7.5CVE-2026-50272CVE-2026-50272: dd-trace Unbounded W3C Baggage Extraction DoS