Advisories for Npm/I18next-Fs-Backend package

Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled input (?lng= query parameter, cookie, request header), a crafted value can break out of the intended locale directory. Affected call sites in lib/index.js: read (line 38 pre-patch): const filename = interpolate(loadPath, { …

Versions of i18next-fs-backend prior to 2.6.4 interpolate the caller-supplied lng and ns values directly into the configured loadPath and addPath templates with no path-component validation and no sanitisation. When an application exposes the resolved language code to user-controlled input (?lng= query parameter, cookie, request header), a crafted value can break out of the intended locale directory. Affected call sites in lib/index.js: read (line 38 pre-patch): const filename = interpolate(loadPath, { …