PatchSiren cyber security CVE debrief
CVE-2026-48713 i18next CVE debrief
CVE-2026-48713 is a critical vulnerability in the i18next-fs-backend library, which allows for prototype pollution via crafted missing-key strings. This vulnerability affects versions prior to 2.6.6 and has a CVSS score of 9.1.
- Vendor
- i18next
- Product
- i18next-fs-backend
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-17
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-17
Who should care
Developers using the i18next-fs-backend library, especially those who expose the missingKeyHandler to untrusted users or use the default behavior of splitting missing-key strings on keySeparator.
Technical summary
The vulnerability occurs when the backend.writeFile() function splits each queued missing-key string on the configured keySeparator (default '.') before calling the internal setPath() walker. The walker did not guard against unsafe segments, allowing an attacker to write arbitrary properties onto the global object prototype.
Defensive priority
high
Recommended defensive actions
- Upgrade to version 2.6.6 or later
- Do not expose i18next-http-middleware's missingKeyHandler to untrusted users
- Disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input
- Set keySeparator: false in i18next options to disable backend key splitting
Evidence notes
The vulnerability has been fixed in version 2.6.6. Developers unable to upgrade immediately should take precautions to mitigate the vulnerability.
Official resources
public