AIKIDO-2026-10645
i18next is vulnerable to Regular Expression Denial of Service (ReDoS)
65
Medium Risk
This Affects:
i18nextTL;DR
The interpolation layer builds regular expressions from configurable unescapePrefix and unescapeSuffix values. Those segments were embedded into regex sources without escaping regex metacharacters the way other delimiters are treated, so malicious or mistaken delimiter configuration could cause catastrophic backtracking during matching or break expected unescape behavior. The shared logger forwards arguments to the configured backend and previously left ASCII control characters intact in string arguments, so influenced keys, languages, namespaces, or labels could forge extra log lines or inject control characters into consolidated output. The patch escapes delimiter segments consistently and strips disallowed control characters from string log arguments before forwarding. A separate runtime warning was added for a narrow nested-translation pattern when HTML escaping is disabled; that improves visibility for a risky setup and is not a complete exploit-prevention guard by itself.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
i18next is vulnerable to Regular Expression Denial of Service (ReDoS) in versions 2.0.0-alpha.24 - 26.0.5.
How to fix this
Upgrade the i18next library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant