i18next Prototype Pollution Flaw (CVSS 9.1) Threatens 1M+ Weekly Downloads

A critical prototype pollution flaw now threatens one of the npm ecosystem’s most popular translation tools. Tracked as CVE-2026-48713, the i18next prototype pollution bug carries a CVSS score of 9.1. Moreover, it affects i18next-fs-backend, a package that pulls more than one million weekly downloads.

Why It Matters

The huge download count raises the stakes. Many production apps pull i18next-fs-backend deep inside their dependency tree. So a single poisoned prototype can ripple across every object an app touches. Even so, exploitation still depends on a specific, exposed configuration.

How the Flaw Works

The weakness lives in how the backend saves missing translation keys. When an app persists those keys, Backend.writeFile() splits each string on the key separator. Then an internal walker follows the path without checking unsafe segments. As a result, a crafted key such as “__proto__.polluted” walks straight into Object.prototype.

Consequently, an unauthenticated attacker can write arbitrary properties onto the global prototype. This i18next prototype pollution can crash the app, corrupt translations, or poison configuration. In some cases, it may even bypass property-based security checks.

Who Is Affected

Not every deployment is at risk, however. An app is vulnerable only when i18next-fs-backend 2.6.5 or older serves as the backend. Additionally, the missingKeyHandler must forward untrusted input while saveMissing stays enabled. The default key-splitting behavior must also remain active. Apps that never expose missing-key persistence to untrusted users avoid this path entirely.

A companion middleware bug, CVE-2026-48714, widens the same attack surface. Together, the two flaws let remote input reach the unguarded walker.

Patch and Mitigations

Fortunately, the maintainers shipped a clean fix. The patched walker now refuses to descend through __proto__, constructor, or prototype segments. Therefore, teams should upgrade immediately through the i18next-fs-backend 2.6.6 release. If you cannot upgrade yet, disable missing-key persistence or set keySeparator to false. Above all, keep the handler away from untrusted users.

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy

Written by

@DdoS · Security Researcher

Do Son

Do Son is the Founder and Editor of SecurityOnline.info. Working in cybersecurity since 2013, he reports on vulnerabilities, malware, and emerging threats, providing timely analysis to help organizations and individuals stay ahead of evolving risks.