CVE-2026-41683

Name of the Vulnerable Software and Affected Versions i18next-http-middleware versions prior to 3.9.3

Description The software writes user-controlled language values into the 'Content-Language' response header using an HTML-entity encoder that fails to strip carriage return, line feed, or other control characters. When used with i18next versions prior to 19.5.0 or when a raw detected value is produced, CRLF (Carriage Return Line Feed) sequences in the lng parameter are passed directly to the response header. This can lead to HTTP response splitting in Node.js versions prior to 14.6.0, allowing for session fixation, cache poisoning, or reflected XSS. In Node.js versions 14.6.0 and later, this causes a denial of service because the system throws an ERR INVALID CHAR exception that can crash the server instance for all concurrent users. Additionally, a secondary filter designed to prevent XSS used an insufficient regular expression that could be bypassed when rendering res.locals.language in context-unsafe templating modes.

Recommendations Update to version 3.9.3.