CVE-2026-42353

Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters

Assigner: GitHub_M
Reserved: 26.04.2026 Published: 08.05.2026 Updated: 08.05.2026

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CVSS Score: 8.2

Attack Vector	Network	Scope	Unchanged
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	Low
User Interaction	None	Availability Impact	None

CVSS 3.1

Product Status

Vendor	i18next
Product	i18next-http-middleware
Versions	Version < 3.9.3 is affected

Vendor

i18next

Product

i18next-http-middleware

Versions

Version < 3.9.3 is affected

References

Problem Types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE
CWE-918: Server-Side Request Forgery (SSRF) CWE

CVE-2026-42353 PUBLISHED

Path traversal / SSRF in i18next-http-middleware via user-controlled language and namespace parameters

Metrics

Product Status

References

Problem Types