Adraicommitted

**Name of the Vulnerable Software and Affected Versions** i18next-http-backend versions prior to 3.0.5 **Description** Versions of the library interpolate the `lng` and `ns` values directly into the configured `loadPath` or `addPath` URL templates without encoding, validation, or path sanitization. When language-code selection is exposed to user-controlled input—such as through query parameters, cookies, `localStorage`, or request headers—an attacker can inject characters to alter the structure of the outgoing request URL. This can lead to path traversal, query-string injection, and fragment truncation. In severe cases, this may result in Server-Side Request Forgery (SSRF) if the `loadPath` uses internal or file-scheme URLs, or path-based authorization bypass. Additionally, the software was susceptible to log forging via control characters in `lng` or `ns`, leakage of Basic-auth credentials in error callbacks, and prototype pollution amplification due to the use of `for...in` loops in `addQueryString` and `customHeaders`. **Recommendations** Update to version 3.0.5. As a temporary workaround, sanitize `lng` and `ns` values before they reach the library by stripping `..`, `/`, ``, `?`, `#`, `%`, whitespace, and control characters, and by capping the length of the input.