AIKIDO-2026-10404
gettext-parser is vulnerable to Prototype Pollution
54
Medium Risk
This Affects:
gettext-parserTL;DR
gettext-parser assigns PO/MO parsed data into table.translations[msgctxt][msgid], table.obsolete[msgctxt][msgid], and headers[key] using plain property assignment. When msgctxt, msgid, or header keys are attacker-controlled (e.g. __proto__ or constructor), they are not validated, so a crafted PO or MO file can pollute Object.prototype or the headers object. That can lead to denial of service, unexpected behavior in code that iterates over object properties, or (in some downstream use) injection of attributes. The fix uses Object.hasOwn() and Object.defineProperty() so that keys like __proto__ are stored as own properties instead of modifying the prototype.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
gettext-parser is vulnerable to Prototype Pollution in versions 0.1.0 - 9.0.1.
How to fix this
Upgrade the gettext-parser library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant