GHSA-8847-338w-5hcj: i18next-fs-backend: Path traversal via unsanitised lng/ns allows arbitrary file read/overwrite
Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled input (?lng= query parameter, cookie, request header), a crafted value can break out of the intended locale directory.
Affected call sites in lib/index.js:
read(line 38 pre-patch):const filename = interpolate(loadPath, { lng: language, ns: namespace })removeFile(line 101 pre-patch): same pattern againstaddPathwriteFile(line 127 pre-patch): same pattern againstaddPathfor queued missing-key writes
The helper interpolate in lib/utils.js substitutes raw values with no encoding — unlike the addQueryString helper in i18next-http-backend, there is no equivalent safety for path interpolation.
References
Code Behaviors & Features
Detect and mitigate GHSA-8847-338w-5hcj with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →