CVE-2026-42353: i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters

April 29, 2026

Versions of i18next-http-middleware prior to 3.9.3 pass the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks:

Filesystem path traversal when the middleware is paired with i18next-fs-backend (or any backend that interpolates lng / ns into a filesystem path).
Server-Side Request Forgery (SSRF) when the middleware is paired with i18next-http-backend (or any backend that interpolates into an HTTP URL).

Example request:

GET /locales/resources.json?lng=../../etc/passwd&ns=root

with i18next-fs-backend reads the attacker-chosen file from disk; with i18next-http-backend reshapes the outgoing URL to target an internal service.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-42353 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →