Versions of i18next-http-middleware prior to 3.9.3 pass the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks: Filesystem path traversal when the middleware is paired with i18next-fs-backend (or any backend that interpolates lng / ns into a filesystem path). Server-Side Request Forgery (SSRF) when the middleware is paired with …
Versions of i18next-http-middleware prior to 3.9.3 pass user-controlled lng and ns parameters to two internal paths that use them in ways that enable prototype pollution and, depending on the configured backend, path traversal or SSRF. The vulnerable entry points are unauthenticated HTTP handlers that are part of the middleware's public API: getResourcesHandler — reads lng/ns from query parameters or route params and passes them unvalidated to: utils.setPath(resources, [lng, ns], …) …
Versions of i18next-http-middleware prior to 3.9.3 pass user-controlled lng and ns parameters to two internal paths that use them in ways that enable prototype pollution and, depending on the configured backend, path traversal or SSRF. The vulnerable entry points are unauthenticated HTTP handlers that are part of the middleware's public API: getResourcesHandler — reads lng/ns from query parameters or route params and passes them unvalidated to: utils.setPath(resources, [lng, ns], …) …
Versions of i18next-http-middleware prior to 3.9.3 wrote user-controlled language values into the Content-Language response header after passing them through utils.escape(), which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older i18next (< 19.5.0) that still exercised the backward-compatibility fallback at LanguageDetector.js:100 or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled lng parameter reached res.setHeader('Content-Language', …