DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-MGCP-MFP8-3Q45: GHSA-MGCP-MFP8-3Q45: Path Traversal and URL Injection in i18next-locize-backend

#security #cve #cybersecurity #ghsa

GHSA-MGCP-MFP8-3Q45: Path Traversal and URL Injection in i18next-locize-backend

Vulnerability ID: GHSA-MGCP-MFP8-3Q45
CVSS Score: N/A
Published: 2026-04-22

The i18next-locize-backend package prior to version 9.0.2 is vulnerable to path traversal and URL injection via unsanitized template interpolation. Attackers can control parameters such as language or namespace to manipulate API request URLs, potentially leading to arbitrary resource access or local file read.

TL;DR

Unsanitized path parameters in i18next-locize-backend allow attackers to inject path traversal sequences and URL structures, enabling arbitrary endpoint interaction or local file disclosure via the loadPath configuration.

⚠️ Exploit Status: POC

Technical Details

  • Primary CWE: CWE-22: Path Traversal
  • Secondary CWE: CWE-74: URL Injection
  • Attack Vector: Network / Context-Dependent
  • Exploit Status: Proof of Concept
  • Fix Version: 9.0.2
  • Vulnerable Protocol Risk: file:// scheme arbitrary file read

Affected Systems

  • i18next-locize-backend prior to version 9.0.2
  • Node.js applications utilizing the affected package for translation management
  • i18next-locize-backend: < 9.0.2 (Fixed in: 9.0.2)

Code Analysis

Commit: 8f81ad4

Security hardening: Implement strict URL segment validation and prevent prototype pollution in interpolation context

Mitigation Strategies

  • Upgrade i18next-locize-backend to version 9.0.2 or later.
  • Implement application-level allowlists for locale and namespace inputs.
  • Avoid utilizing the file:// protocol for loadPath configurations unless strictly necessary.

Remediation Steps:

  1. Identify all projects utilizing the i18next-locize-backend package via dependency analysis tools.
  2. Update the package.json to require i18next-locize-backend version 9.0.2 minimum.
  3. Execute package manager updates (e.g., npm install or yarn install) to pull the patched version.
  4. Review application routing logic to ensure translation variables are validated against alphanumeric regex patterns.
  5. Deploy the updated application to staging environments for regression testing before production rollout.

References

Read the full report for GHSA-MGCP-MFP8-3Q45 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)