External risk intelligence

i18next-fs-backend Prototype Pollution Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-48713

A prototype pollution vulnerability exists in a translation management library when processing untrusted missing translation keys, potentially altering global program settings. This could lead to application instability or security bypasses if the affected feature is reachable by unauthenticated users. Determining if y

3Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-48713

The vulnerability exists in a library function that handles translation keys. While it can be triggered via web middleware if incorrectly exposed to untrusted user input, this is a specific configuration choice rather than a default public-facing service or interface. Therefore, while reachable from the internet in some deployments, public exposure is not the default or intended design.

PCI scan relevance

PCI Relevance for CVE-2026-48713

Yes

CVE-2026-48713 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for remote code execution by manipulating translation keys. Given its critical severity, it is relevant for PCI scanning.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability affecting certain versions of a translation management library. When handling missing translation keys from untrusted sources, the library can be exploited through specially crafted input to alter global program settings, potentially leading to application crashes or security bypasses. The main concern is confirming relevance and exposure within your specific application deployments.

  • Affects translation key handling in specific software.
  • Could impact application stability and security controls.
  • Confirm if your systems use this library with untrusted input.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted requests to an application that exposes a translation key persistence feature to untrusted input. This feature incorrectly handles missing translation keys, allowing the attacker to inject malicious data that modifies the application's global object prototype. This modification can lead to various negative consequences for the application's stability and security.

  • Requires an exposed translation key feature.
  • Triggered by missing translation keys in requests.
  • Can corrupt translations or bypass security.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could impact applications that expose a specific translation key persistence feature to untrusted users. When this feature is accessible and improperly configured, attackers could manipulate how translation keys are processed, potentially leading to unintended changes in application behavior, crashes, or security bypasses. Applications that do not allow untrusted input to trigger this feature are not directly affected.

  • Application behavior and configuration.
  • Malicious key strings processed by the system.
  • Unintended crashes or security bypasses.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The application owner is likely responsible for addressing this vulnerability, as it resides within the i18next library used in their application. The first practical step is to identify all instances of this library, confirm if the `missingKeyHandler` is exposed to untrusted input, and then plan for remediation during a maintenance window.

  • Application owners must own the issue.
  • Verify `missingKeyHandler` exposure to untrusted input.
  • Plan remediation during scheduled maintenance.

Frequently asked questions

What is i18next-fs-backend used for?

i18next-fs-backend is a library for Node.js applications that manages translation files. It allows developers to persist missing translation keys—meaning when the software encounters a text string that hasn't been translated yet, it can automatically write that new key to a file system. This helps streamline the development of localized, multi-language web applications.

What is the prototype pollution weakness in CVE-2026-48713?

This CVE involves a vulnerability classified as CWE-1321, or Prototype Pollution. It occurs when an application trusts input that is used as a property path. Because the library fails to validate these paths, an attacker can supply a specially crafted key that points to the base object prototype. By doing this, they can inject or overwrite global properties, which can unpredictably alter how the entire application behaves.

How can an attacker trigger this vulnerability?

The attack requires an application to expose the 'missingKeyHandler' route to untrusted users. If that endpoint accepts external requests, an attacker can send a string containing a path like '__proto__'. The library then inadvertently walks this path into the global object. If an application does not expose this specific persistence feature to external traffic, or if it has disabled key splitting, the vulnerability cannot be triggered through this path.

Why should I care if my app is internet-facing?

According to Halo Surface Signal, this vulnerability is not a default, public-facing service. However, because it exists in a library function that can be linked to web middleware, its reach depends on your specific architecture. If your application exposes translation persistence to the internet, it is reachable. You should care because this creates a scenario where an external user could potentially influence the application's runtime environment.

How do I secure my application against this issue?

The primary fix is to update to version 2.6.6 or later. If you cannot update immediately, restrict access to the 'missingKeyHandler' by requiring authentication. You can also disable the problematic feature by setting 'saveMissing' to false or by setting 'keySeparator' to false in your configuration, which prevents the library from splitting and walking the input strings.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished