AIKIDO-2026-10526
i18next-http-middleware is vulnerable to Path Traversal
82
High Risk
This Affects:
i18next-http-middlewareTL;DR
Improper validation of user-controlled lng and ns parameters in i18next-http-middleware getResourcesHandler allowed unsanitized values to be passed directly into backend resource loaders. Depending on the configured backend, attackers could exploit this to perform filesystem path traversal when used with i18next-fs-backend, leading to arbitrary file reads, or server-side request forgery when used with i18next-http-backend, allowing requests to internal services or cloud metadata endpoints. Repeated unique ns values could also cause unbounded growth of the shared namespace array, resulting in memory exhaustion and denial of service. Successful exploitation could expose sensitive files, internal network resources, credentials, or impact service availability.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
i18next-http-middleware is vulnerable to Path Traversal in versions 0.0.1 - 3.9.2.
How to fix this
Upgrade the i18next-http-middleware library to a patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant