i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header

Description

Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.

Recommendation

Update the i18next-http-middleware package to the latest compatible version. Followings are version details:

• Affected version(s): < 3.9.3
• Patched version(s): 3.9.3

References

• GHSA-c3h8-g69v-pjrg
• CVE-2026-41683
• CWE-113
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters - CVE-2026-41690
• i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters - CVE-2026-42353
• i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - CVE-2026-41691
• Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resourc - CVE-2026-22036

You might also like:

CSRF, XXE, and 12 Other Security Acronyms Explained

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

i18next-http-middleware