External risk intelligence

i18next-http-middleware Prototype Pollution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-48714

A flaw in i18next-http-middleware allows specially crafted requests to cause prototype pollution, potentially leading to application crashes or security bypasses if the handler is exposed to untrusted input and specific backends are used.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-48714

The vulnerability affects middleware used in Node.js web frameworks like Express or Fastify. Because this middleware is designed to process web requests and handle missing translation keys often exposed to end users, it is commonly integrated into internet-facing web applications and API endpoints, making it a likely component of an exposed attack surface.

PCI scan relevance

PCI Relevance for CVE-2026-48714

Yes

CVE-2026-48714 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Prototype pollution vulnerability in i18next-http-middleware can lead to remote code execution, posing a PCI DSS compliance risk.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in the i18next-http-middleware, a component used in Node.js web applications. This issue could allow an attacker to manipulate application behavior, potentially leading to crashes, corrupted data, or security bypasses if certain conditions are met, particularly when combined with specific backend configurations and exposed to untrusted input.

A coding flaw can alter application behavior.
Affects web applications using specific Node.js middleware.
Confirm relevance and ensure proper exposure controls.

Attack Path

How an attacker could exploit the issue

An attacker can trigger this vulnerability by sending specially crafted requests to an application that exposes the `missingKeyHandler` to untrusted input and uses a vulnerable version of `i18next-fs-backend`. The `missingKeyHandler` in `i18next-http-middleware` does not properly sanitize certain keys, allowing an attacker to inject malicious values that can modify the `Object.prototype`. This prototype pollution can lead to various harmful outcomes within the application, such as crashes or bypassing security checks.

Entry condition: Exposed `missingKeyHandler` with untrusted input.
Trigger point: Sending dotted keys like "__proto__.polluted".
Resulting risk: Prototype pollution leading to application compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could affect applications that expose a specific middleware function to untrusted input, especially when used with certain backend configurations. When an attacker can send specially crafted input to this function, it may lead to prototype pollution, potentially altering application behavior or causing crashes.

Application behavior and data integrity.
Via crafted request to exposed middleware.
Corrupted translations or service crashes.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Application and platform teams responsible for Node.js web frameworks like Express and Fastify should prioritize understanding their exposure. The first practical step is to identify all instances of the affected middleware, determine if they are accessible from untrusted input, and confirm their business criticality to prioritize remediation efforts.

Application owners own the issue.
Verify untrusted input exposure.
Plan remediation based on risk.

Frequently asked questions

What is i18next-http-middleware?

It is a software component used in Node.js and Deno environments to bridge web frameworks like Express or Fastify with translation systems. Developers use it to manage how applications handle missing translation keys by routing those requests to backend storage, enabling dynamic updates to application text as users navigate.

What does CVE-2026-48714 mean for application security?

This vulnerability is a form of prototype pollution, categorized as CWE-1321. It occurs when the middleware fails to sanitize specific dotted input strings. Because JavaScript objects share a base prototype, an attacker can use these malformed keys to inject new properties into the global object, potentially tricking the application into executing unintended logic or crashing.

How is this prototype pollution triggered?

An attacker triggers this by sending a crafted request to a publicly accessible missingKeyHandler that contains a dotted property string, such as '__proto__.polluted'. The issue does not occur if the application does not use a vulnerable downstream backend that blindly trusts and writes these keys, nor does it trigger if the handler is not reachable by untrusted users.

Is my application at risk?

Halo Surface Signal indicates this is a likely concern for internet-facing applications because the middleware is designed to process external web requests. If your app exposes the missingKeyHandler to the internet and uses a vulnerable version of a backend like i18next-fs-backend, it may be accessible to attackers.

How do I respond to this threat?

Prioritize upgrading the middleware to version 3.9.7. If you cannot update immediately, ensure that the missingKeyHandler is not reachable by untrusted users by placing it behind authentication or removing the route. You can also disable key persistence by setting saveMissing to false when handling requests from the public.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.