CVE 8.6 HIGH

HTTP response splitting and DoS in i18next-http-middleware via unsanitised Content-Language header_CVE-2026-41683

May 8, 2026 invoker category_cve
8.6 / 10
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L

Description

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', ...) verbatim. This issue has been patched in version 3.9.3.

AI Analysis

HTTP response splitting and DoS vulnerability in i18next-http-middleware via unsanitised Content-Language header

Basic Information

ID CVE-2026-41683
Source GitHub_M
Published May 8, 2026 at 15:27

Affected Product

Vendor i18next
Product i18next-http-middleware
Version < 3.9.3
Affected Versions i18next i18next-http-middleware < 3.9.3

CWE Classification

CWE-79 CWE-113

AI Assessment

AI Score 8.6 / 10
AI Severity High
Vendor i18next
Product i18next-http-middleware
Version < 3.9.3

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.