DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-48713: CVE-2026-48713: Remote Prototype Pollution in i18next-fs-backend

#security #cve #cybersecurity

CVE-2026-48713: Remote Prototype Pollution in i18next-fs-backend

Vulnerability ID: CVE-2026-48713
CVSS Score: 9.1
Published: 2026-06-25

A critical prototype pollution vulnerability exists in the i18next-fs-backend Node.js package (prior to version 2.6.6) through its translation persistence layer. When handling missing translation keys, insecure traversal of JSON objects via the getLastOfPath function allows remote, unauthenticated attackers to mutate Object.prototype, potentially leading to denial of service, security bypasses, or remote code execution.

TL;DR

Unauthenticated prototype pollution in i18next-fs-backend < 2.6.6 via missing translation key traversal can lead to RCE or DoS.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-1321
  • Attack Vector: Network (AV:N)
  • CVSS v3.1: 9.1 (Critical)
  • EPSS Score: 0.00419 (33.50th percentile)
  • Exploit Status: PoC Available
  • CISA KEV: Not Listed

Affected Systems

  • Node.js applications running i18next-fs-backend < 2.6.6 with saveMissing enabled
  • i18next-fs-backend: < 2.6.6 (Fixed in: 2.6.6)

Code Analysis

Commit: 3ab0448

Fixes prototype pollution vulnerability by preventing traversal of proto, prototype, and constructor properties.

Mitigation Strategies

  • Upgrade i18next-fs-backend to version 2.6.6 or higher.
  • Disable missing-key persistence by setting saveMissing: false in i18next options.
  • Configure keySeparator: false to disable key splitting pathways.

Remediation Steps:

  1. Identify all occurrences of i18next-fs-backend in package.json and package-lock.json.
  2. Run npm install i18next-fs-backend@2.6.6 or yarn add i18next-fs-backend@2.6.6 to upgrade.
  3. Verify options.saveMissing is set to false in non-development environments.
  4. Deploy application updates and monitor for unexpected errors in translation resolution.

References

Read the full report for CVE-2026-48713 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)