CVE-2026-42353

CVSS v3.1

8.2

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions i18next-http-middleware versions prior to 3.9.3

Description The software passes user-controlled lng and ns values from the getResourcesHandler function directly into i18next.services.backendConnector.load(languages, namespaces, …) without sanitization. Depending on the configured backend, this can lead to different security issues:

Filesystem path traversal (reading arbitrary files from disk) when paired with i18next-fs-backend or similar filesystem-based backends.
Server-Side Request Forgery (SSRF), which allows requests to internal IPs or hostnames, when paired with i18next-http-backend or similar HTTP-based backends.
Memory exhaustion due to the unbounded growth of the i18next.options.ns array when repeated unique payloads are sent.

Recommendations Update to version 3.9.3 or later.

Fix

Path traversal

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-22CWE-918

Related Identifiers

CVE-2026-42353

GHSA-JFGF-83C5-2C4M

Affected Products

I18Next-Fs-Backend

I18Next-Http-Backend

I18Next-Http-Middleware

CVE-2026-42353

Weakness Enumeration

Related Identifiers

Affected Products

References · 8