CVE-2026-41885

Name of the Vulnerable Software and Affected Versions i18next-locize-backend versions prior to 9.0.2

Description The software interpolates lng, ns, projectId, and version directly into configured URL templates such as 'loadPath', 'privatePath', 'addPath', 'updatePath', and 'getLanguagesPath' without path-component validation or encoding. When these values are exposed to user-controlled input—such as query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId—a crafted value can alter the structure of the outgoing request URL. This can lead to path traversal, query-string injection, or fragment truncation. In cases where a custom 'loadPath' is configured against an internal or file-scheme URL, this may result in Server-Side Request Forgery (SSRF) or arbitrary-file read on the host. Additionally, the interpolate() function in lib/utils.js reads data[key] without excluding prototype-chain properties, which could allow values from Object.prototype to be pulled into the URL under prototype pollution conditions. The issue involves the interpolate() helper used in lib/index.js within the readAny(), read(), getLanguages(), and writePage() functions.

Recommendations Update to version 9.0.2. As a temporary mitigation, sanitize lng, ns, projectId, and version at the application boundary by rejecting values containing .., /, ``, ?, #, %, whitespace, or control characters, and by capping the length of these inputs.