CVE-2026-42353
published 2026-05-08CVE-2026-42353: i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3…
PriorityP348high8.2CVSS 3.1
AVNACLPRNUINSUCHILAN
EPSS
0.39%
30.5th percentile
i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| i18next | i18next-http-middleware | < 3.9.3 | 3.9.3 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
i18next i18next-http-middleware prior 3.9.3 languages/namespaces server-side request forgery
vuldb·2026-04-30
CVE-2026-42353 [CRITICAL] i18next i18next-http-middleware prior 3.9.3 languages/namespaces server-side request forgery
A vulnerability was found in i18next i18next-http-middleware. It has been classified as critical. This issue affects some unknown processing. Performing a manipulation of the argument languages/namespaces results in server-side request forgery.
This vulnerability is cataloged as CVE-2026-42353. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is recommended.
GHSA
i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters
ghsa·2026-04-29
CVE-2026-42353 [HIGH] CWE-22 i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters
i18next-http-middleware has path traversal / SSRF via user-controlled language and namespace parameters
### Summary
Versions of `i18next-http-middleware` prior to 3.9.3 pass the user-controlled `lng` and `ns` values from `getResourcesHandler` directly into `i18next.services.backendConnector.load(languages, namespaces, …)` without any sanitisation. Depending on which backend is configured, the unvalidated path segments enable one of two attacks:
- **Filesystem path traversal** when the middleware is paired with `i18next-fs-backend` (or any backend that interpolates `lng` / `ns` into a filesystem path).
- **Server-Side Request Forgery (SSRF)** when the middleware is paired with `i18next-http-backend` (or any backend that interpolates into an HTTP URL).
Example request:
```
GET /locales/
No detection rules found.
No public exploits indexed.
2026-05-08
Published