i18next-http-middleware: Prototype pollution and path traversal via user-controlled language and namespace parameters

Severity:: High

Description

Versions of i18next-http-middleware prior to 3.9.3 pass user-controlled lng and ns parameters to two internal paths that use them in ways that enable prototype pollution and, depending on the configured backend, path traversal or SSRF.

Recommendation

Update the i18next-http-middleware package to the latest compatible version. Followings are version details:

Affected version(s): < 3.9.3
Patched version(s): 3.9.3

References

GHSA-5fgg-jcpf-8jjw
www.i18next.com
CVE-2026-41690
CWE-1321
CWE-22
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6

Related Issues

i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters - CVE-2026-42353
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header - CVE-2026-41683
i18next-http-backend has Path Traversal & URL Injection via Unsanitised lng/ns - CVE-2026-41691
i18next-locize-backend has URL Injection via Unsanitized Path Parameters - CVE-2026-41885

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:: npm; i18next-http-middleware

Anything's wrong? Let us know Last updated on May 13, 2026