i18next is vulnerable to Prototype Pollution
65
Medium Risk
i18next merges resource bundles through deepExtend, used by addResourceBundle when called with the deep and overwrite options. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in such as hasOwnProperty or toString caused recursion into the shared Object.prototype function. With overwrite enabled, this could overwrite a shared built-in like Object.prototype.hasOwnProperty.call with a non-callable value, corrupting it process-wide and causing denial of service. The fix checks existence with Object.prototype.hasOwnProperty.call so such keys are copied as plain own data instead.
You are affected if you are using a version that falls within the vulnerable range and your application merges untrusted data through addResourceBundle with the deep and overwrite options enabled.
i18next is vulnerable to Prototype Pollution in versions 2.0.0 - 26.3.3.
Upgrade the i18next library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant