Intel

AIKIDO-2026-387296

i18next is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

65

Medium Risk

This Affects:

JSi18next
2.0.0 - 26.3.3
Fixed in 26.3.4
Are you affected? Scan for Free

TL;DR

i18next merges resource bundles through deepExtend, used by addResourceBundle when called with the deep and overwrite options. It checked key existence with the in operator, which walks the prototype chain, so a source key matching an inherited built-in such as hasOwnProperty or toString caused recursion into the shared Object.prototype function. With overwrite enabled, this could overwrite a shared built-in like Object.prototype.hasOwnProperty.call with a non-callable value, corrupting it process-wide and causing denial of service. The fix checks existence with Object.prototype.hasOwnProperty.call so such keys are copied as plain own data instead.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application merges untrusted data through addResourceBundle with the deep and overwrite options enabled.

Background info

i18next is vulnerable to Prototype Pollution in versions 2.0.0 - 26.3.3.

How to fix this

Upgrade the i18next library to the patch version.