CVE-2026-42353 Overview
CVE-2026-42353 affects i18next-http-middleware, a localization middleware used with Node.js frameworks like Express and Fastify, and also supported on Deno. Versions prior to 3.9.3 pass user-controlled lng and ns parameters from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without sanitization. Depending on the configured backend, attackers can trigger path traversal or Server-Side Request Forgery (SSRF). The maintainers patched the issue in version 3.9.3. The vulnerability is categorized under [CWE-22] Improper Limitation of a Pathname to a Restricted Directory.
Critical Impact
Unauthenticated remote attackers can read arbitrary files on disk or issue outbound HTTP requests through the server, depending on the backend configuration.
Affected Products
- i18next-http-middleware versions prior to 3.9.3
- Node.js applications using Express or Fastify with the affected middleware
- Deno applications integrating the affected middleware
Discovery Timeline
- 2026-05-08 - CVE-2026-42353 published to NVD
- 2026-05-12 - Last updated in NVD database
Technical Details for CVE-2026-42353
Vulnerability Analysis
The i18next-http-middleware package exposes a getResourcesHandler endpoint that returns translation resources for a requested language and namespace. The handler reads the lng and ns query parameters from the incoming HTTP request and forwards them directly to i18next.services.backendConnector.load(languages, namespaces, …). No validation, allow-listing, or character filtering occurs before the values reach the backend loader.
The security impact depends on which i18next backend is configured. When a filesystem backend such as i18next-fs-backend is used, language and namespace strings become components of a file path. Attackers can submit traversal sequences like ../../../../etc/passwd to read files outside the translations directory. When an HTTP backend such as i18next-http-backend is configured, the same parameters become components of a URL, enabling SSRF against internal services or cloud metadata endpoints.
Root Cause
The root cause is missing input sanitization at the boundary between the HTTP request and the backend loader. The middleware trusts that downstream backends will validate inputs, but the backend connectors treat languages and namespaces as already-validated identifiers. This violates the principle of input validation at trust boundaries and falls under [CWE-22].
Attack Vector
Exploitation requires only network access to an endpoint that exposes getResourcesHandler. No authentication or user interaction is required. An attacker crafts a GET request with malicious lng or ns query parameters. With a filesystem backend, the payload contains directory traversal sequences targeting sensitive files. With an HTTP backend, the payload contains URL fragments that redirect the loader to attacker-chosen hosts, including internal addresses such as 169.254.169.254 for cloud metadata theft. See the GitHub Security Advisory GHSA-jfgf-83c5-2c4m for technical details.
Detection Methods for CVE-2026-42353
Indicators of Compromise
- HTTP requests to the i18next resources endpoint containing ../ or URL-encoded traversal sequences such as %2e%2e%2f in the lng or ns parameters.
- Outbound HTTP connections from the application server to internal IP ranges or cloud metadata endpoints like 169.254.169.254 originating from the i18next backend loader.
- Application logs showing backendConnector.load calls with abnormally long or non-locale-formatted language and namespace values.
Detection Strategies
- Inventory all Node.js and Deno services using i18next-http-middleware and confirm the installed version against 3.9.3.
- Add Web Application Firewall (WAF) rules that reject requests to translation resource endpoints when lng or ns parameters contain path separators, null bytes, or protocol schemes.
- Correlate request logs with file access and outbound network telemetry to identify post-exploitation activity.
Monitoring Recommendations
- Monitor file read activity by the Node.js process for paths outside the configured translations directory.
- Alert on outbound HTTP requests from application processes to RFC1918 ranges or link-local addresses when those destinations are not expected.
- Capture and review HTTP access logs for high-entropy or unusually structured lng and ns parameter values.
How to Mitigate CVE-2026-42353
Immediate Actions Required
- Upgrade i18next-http-middleware to version 3.9.3 or later across all Node.js and Deno deployments.
- Audit application code for direct exposure of getResourcesHandler and restrict the endpoint to trusted internal callers when feasible.
- Review backend configuration to determine whether a filesystem or HTTP backend is in use, then prioritize remediation based on the resulting impact profile.
Patch Information
The maintainers released the fix in i18next-http-middleware version 3.9.3. Upgrade using npm install i18next-http-middleware@3.9.3 or the equivalent for yarn, pnpm, or Deno import maps. Refer to the GitHub Security Advisory GHSA-jfgf-83c5-2c4m for full release notes.
Workarounds
- If upgrading is not immediately possible, wrap or disable getResourcesHandler and implement strict allow-list validation on lng and ns parameters that accepts only known locale codes and namespace identifiers.
- Restrict the application's filesystem permissions so the Node.js process cannot read files outside the translations directory.
- Apply egress network controls that block the application from reaching internal services and cloud metadata endpoints unless explicitly required.
# Configuration example
npm install i18next-http-middleware@3.9.3
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
