CVE-2026-41691

Name of the Vulnerable Software and Affected Versions i18next-http-backend versions prior to 3.0.5

Description Versions of the library interpolate the lng and ns values directly into the configured loadPath or addPath URL templates without encoding, validation, or path sanitization. When language-code selection is exposed to user-controlled input—such as through query parameters, cookies, localStorage, or request headers—an attacker can inject characters to alter the structure of the outgoing request URL. This can lead to path traversal, query-string injection, and fragment truncation. In severe cases, this may result in Server-Side Request Forgery (SSRF) if the loadPath uses internal or file-scheme URLs, or path-based authorization bypass. Additionally, the software was susceptible to log forging via control characters in lng or ns, leakage of Basic-auth credentials in error callbacks, and prototype pollution amplification due to the use of for...in loops in addQueryString and customHeaders.

Recommendations Update to version 3.0.5. As a temporary workaround, sanitize lng and ns values before they reach the library by stripping .., /, ``, ?, #, %, whitespace, and control characters, and by capping the length of the input.