Intel

AIKIDO-2026-428313

i18next-icu is vulnerable to Prototype Pollution

Prototype Pollution Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

65

Medium Risk

This Affects:

JSi18next-icu
0.2.0 - 2.4.3
Fixed in 2.4.4
Are you affected? Scan for Free

TL;DR

i18next-icu caches compiled ICU formatters using a memoize key built from the language, namespace, and translation key, written through an internal path walker. Only the translation key segment is escaped, so a namespace or language segment named __proto__, constructor, or prototype makes the walker descend into and assign onto Object.prototype. The language segment is taken from the requested language, so when language detection or other untrusted input drives translation with memoization enabled, this pollutes the global object prototype and affects every object created afterwards in the process. The fix makes the walker refuse unsafe path segments and drop the write, and option merging now skips prototype keys.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application derives the active language or namespace from untrusted input with memoization enabled.

Background info

i18next-icu is vulnerable to Prototype Pollution in versions 0.2.0 - 2.4.3.

How to fix this

Upgrade the i18next-icu library to the patch version.