i18next-icu is vulnerable to Prototype Pollution
65
Medium Risk
i18next-icu caches compiled ICU formatters using a memoize key built from the language, namespace, and translation key, written through an internal path walker. Only the translation key segment is escaped, so a namespace or language segment named __proto__, constructor, or prototype makes the walker descend into and assign onto Object.prototype. The language segment is taken from the requested language, so when language detection or other untrusted input drives translation with memoization enabled, this pollutes the global object prototype and affects every object created afterwards in the process. The fix makes the walker refuse unsafe path segments and drop the write, and option merging now skips prototype keys.
You are affected if you are using a version that falls within the vulnerable range and your application derives the active language or namespace from untrusted input with memoization enabled.
i18next-icu is vulnerable to Prototype Pollution in versions 0.2.0 - 2.4.3.
Upgrade the i18next-icu library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant