CVE-2026-41693 Overview
CVE-2026-41693 is a path traversal vulnerability [CWE-22] in i18next-fs-backend, a backend layer for i18next that loads translations from the filesystem in Node.js and Deno environments. Versions prior to 2.6.4 substitute the lng and ns options directly into the configured loadPath and addPath templates without encoding or validation. Attackers who can influence either value through HTTP query strings, cookies, or headers can read or overwrite files outside the intended locale directory. The maintainers patched the issue in version 2.6.4.
Critical Impact
A single crafted request such as ?lng=../../../../etc/passwd causes the backend to read arbitrary files from disk, exposing sensitive system data to unauthenticated network attackers.
Affected Products
- i18next-fs-backend versions prior to 2.6.4
- Node.js applications using i18next-fs-backend with request-scoped i18next instances
- Applications combining i18next-fs-backend with i18next-http-middleware where users select language via query string, cookie, or header
Discovery Timeline
- 2026-05-08 - CVE-2026-41693 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-41693
Vulnerability Analysis
The vulnerability resides in how i18next-fs-backend constructs filesystem paths for loading and saving translation resources. The library exposes two configuration templates, loadPath and addPath, that contain {{lng}} and {{ns}} placeholders. At runtime, the backend substitutes user-supplied language and namespace identifiers into these templates and passes the resulting string directly to filesystem read and write operations.
Because the substitution is unencoded and unvalidated, the resolved path can escape the intended locale directory. A crafted lng or ns value containing .., a path separator, a control character, a prototype key, or an unexpectedly long string steers the file operation to an arbitrary location. The attack vector is network-based and requires no authentication or user interaction.
Root Cause
The root cause is missing input validation on template variables before filesystem operations. The backend trusts that lng and ns are well-formed locale identifiers, yet the values often originate from HTTP request data when i18next-http-middleware or similar request-scoped wrappers are in use. No allowlist, canonicalization, or boundary check is applied prior to invoking fs.readFile or fs.writeFile.
Attack Vector
An attacker sends a request that controls the language selector, for example GET /resource?lng=../../../../etc/passwd. The middleware passes the value into the i18next instance, which calls into i18next-fs-backend. The backend resolves the loadPath template to a path outside the locale directory and returns the file contents to the translation pipeline. The same primitive applies to addPath for write operations, enabling overwrite of files the Node.js process can modify.
No verified public exploit code is currently available. Refer to the GitHub Security Advisory GHSA-8847-338w-5hcj for technical details.
Detection Methods for CVE-2026-41693
Indicators of Compromise
- HTTP requests containing lng or ns parameters with .., URL-encoded path separators (%2f, %5c), or null bytes
- Node.js process file access events targeting paths outside the configured locales directory
- Unexpected reads of sensitive files such as /etc/passwd, .env, or application configuration by the Node.js runtime
- Write operations from the application process to paths outside its working directory tree
Detection Strategies
- Inspect web server and reverse proxy logs for traversal sequences in language and namespace parameters
- Audit application logs for i18next backend errors referencing paths outside the locales directory
- Monitor filesystem telemetry for the Node.js process accessing files unrelated to translations
- Run dependency scanners such as npm audit to identify i18next-fs-backend versions below 2.6.4
Monitoring Recommendations
- Enable verbose logging on i18next-http-middleware to capture user-supplied lng and ns values
- Forward web application firewall (WAF) and runtime application self-protection (RASP) events to a centralized SIEM for correlation
- Alert on filesystem access by the application process outside an allowlisted directory tree
How to Mitigate CVE-2026-41693
Immediate Actions Required
- Upgrade i18next-fs-backend to version 2.6.4 or later in all Node.js and Deno applications
- Audit application code for any pathway that propagates request data into the lng or ns options
- Restrict the Node.js process to least-privilege filesystem permissions to limit impact of any residual traversal
Patch Information
The issue is fixed in i18next-fs-backend version 2.6.4. Update the dependency in package.json and run npm install or the equivalent for your package manager. Verify the resolved version with npm ls i18next-fs-backend. See the GitHub Security Advisory GHSA-8847-338w-5hcj for the full patch description.
Workarounds
- Validate lng and ns against a strict allowlist of supported locales and namespaces before passing them to i18next
- Reject any language or namespace value containing .., /, \, control characters, or excessive length at the middleware layer
- Configure a WAF rule to block traversal patterns in lng and ns query parameters, cookies, and headers
- Run the Node.js process in a container or sandbox with read-only mounts outside the locales directory
# Configuration example
npm install i18next-fs-backend@^2.6.4
npm ls i18next-fs-backend
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
