i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters

Severity:: High

Description

Versions of i18next-http-middleware prior to 3.9.3 pass the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitisation.

Recommendation

Update the i18next-http-middleware package to the latest compatible version. Followings are version details:

Affected version(s): < 3.9.3
Patched version(s): 3.9.3

References

GHSA-jfgf-83c5-2c4m
www.i18next.com
CVE-2026-42353
CWE-22
CWE-918
CAPEC-310
OWASP 2021-A1
OWASP 2021-A10
OWASP 2021-A6

Related Issues

i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters - CVE-2026-41690
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header - CVE-2026-41683
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - CVE-2026-41691
i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

CSRF, XXE, and 12 Other Security Acronyms Explained

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; i18next-http-middleware

Anything's wrong? Let us know Last updated on May 13, 2026