CVE-2026-41690

Name of the Vulnerable Software and Affected Versions i18next-http-middleware versions prior to 3.9.3

Description An unauthenticated HTTP client can pollute Object.prototype in the Node.js process hosting the middleware. This occurs via two unvalidated entry points: getResourcesHandler and missingKeyHandler. Specifically, getResourcesHandler reads lng and ns from query or route parameters and passes them to utils.setPath(), which failed to guard against proto, constructor, or prototype keys. Additionally, missingKeyHandler used a for...in loop to iterate the request body, allowing inherited prototype-chain properties to be forwarded.

This prototype pollution can break authorization checks, cause type-confusion denial of service (DoS), or be chained into remote code execution (RCE). Furthermore, depending on the configured backend, unvalidated path segments can enable filesystem path traversal (e.g., with i18next-fs-backend) or server-side request forgery (SSRF) (e.g., with i18next-http-backend). The vulnerability also allows for memory and CPU exhaustion due to unbounded growth of the shared singleton namespace list.

Recommendations Update to version 3.9.3. As a partial mitigation, use a WAF rule to reject requests containing proto, constructor, prototype, .., or control characters in lng and ns query parameters or body keys.