Path traversal / SSRF in i18next-http-middleware via user-controlled language and...

8.2 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Description

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.

Basic Information

ID CVE-2026-42353

Source GitHub_M

Published May 8, 2026 at 15:29

Affected Product

Vendor i18next

Product i18next-http-middleware

Version < 3.9.3

Affected Versions i18next i18next-http-middleware < 3.9.3

CWE Classification

CWE-22 CWE-918

References

github.com /i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m

{
    "lastseen": "",
    "description": "i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, \u2026) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.",
    "published": "2026-05-08T15:29:55.900Z",
    "modified": "2026-05-08T15:29:55.900Z",
    "type": "cve",
    "title": "Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters",
    "source": "GitHub_M",
    "references": "https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m",
    "id": "CVE-2026-42353",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22",
        "CWE-918"
    ],
    "cvelist": null,
    "sourceData": "i18next i18next-http-middleware < 3.9.3",
    "sourceHref": "",
    "cvss": {
        "score": 8.2,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "i18next-http-middleware",
    "version": "< 3.9.3",
    "vendor": "i18next",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters_CVE-2026-42353