AIKIDO-2026-10994

TL;DR

When the backend persists missing translation keys, writeFile splits each missing-key string on the configured keySeparator before calling internal setPath helpers. Crafted keys such as __proto__.polluted were split into path segments that getLastOfPath followed into Object.prototype, letting attackers write properties onto the shared prototype. This is reachable when saveMissing flows accept untrusted input such as i18next-http-middleware missingKeyHandler. The fix blocks descent through __proto__, constructor, or prototype segments and silently drops unsafe writes while leaving legitimate dotted keys intact.