PatchSiren cyber security CVE debrief
CVE-2026-48714 i18next CVE debrief
CVE-2026-48714 is a remote prototype pollution vulnerability in i18next-http-middleware versions prior to 3.9.7. The vulnerability occurs when the missingKeyHandler is exposed to untrusted input and used with i18next-fs-backend ≤ 2.6.5. This allows an attacker to pollute the Object.prototype, potentially leading to crashes, corrupted translation behavior, configuration poisoning, or bypasses of property-based security checks.
- Vendor
- i18next
- Product
- i18next-http-middleware
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-15
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-15
- Advisory updated
- 2026-06-16
Who should care
Developers using i18next-http-middleware versions prior to 3.9.7, especially those using i18next-fs-backend ≤ 2.6.5, should be aware of this vulnerability.
Technical summary
The missingKeyHandler in i18next-http-middleware versions prior to 3.9.7 did not properly reject dotted variants of __proto__, constructor, and prototype. When used with i18next-fs-backend ≤ 2.6.5, this allows an attacker to write to Object.prototype, leading to potential security issues.
Defensive priority
CRITICAL
Recommended defensive actions
- Upgrade to i18next-http-middleware version 3.9.7 or later.
- Do not expose missingKeyHandler to untrusted users.
- Add a request-body filter to reject any top-level key containing __proto__, constructor, or prototype.
- Disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input.
Evidence notes
This vulnerability has been fixed in version 3.9.7 of i18next-http-middleware.
Official resources
CVE-2026-48714 was published on 2026-06-15T22:16:17.550Z.