Critical

Prototype Pollution in i18next-fs-backend missing-key persistence

IdentifiersCVE-2026-48713CWE-1321· Improperly Controlled Modification…

CVE-2026-48713 is a prototype pollution vulnerability in i18next-fs-backend affecting versions prior to 2.6.6. The flaw is in the missing-translation-key persistence path: Backend.writeFile() splits queued missing-key strings on the configured keySeparator, which defaults to '.', and then passes the resulting path segments to the internal path walker/setter logic, including getLastOfPath in lib/utils.js. Unsafe path segments such as 'proto', 'constructor', or 'prototype' were not blocked. As a result, a crafted missing key such as 'proto.polluted' could be split into ['proto','polluted'] and traversed into Object.prototype, allowing attacker-controlled properties to be written onto the global object prototype. The vulnerable path is reachable when applications persist missing translation keys from untrusted input, such as through i18next-http-middleware's missingKeyHandler or similar routes forwarding untrusted request bodies to i18next.t(..., { ... }) with saveMissing enabled.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows arbitrary modification of Object.prototype in the Node.js process. Depending on application behavior, this can cause denial of service through crashes, corruption of translation handling, configuration poisoning, and bypass of property-based security checks. The provided CVSS context indicates high integrity and availability impact. Because prototype pollution affects shared object behavior process-wide, secondary effects may extend beyond the translation subsystem into broader application logic.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, do not expose i18next-http-middleware's missingKeyHandler to untrusted users; place it behind authentication or remove the route entirely. Disable missing-key persistence for untrusted input by setting saveMissing to false or by ensuring no backend.create/write path is available for attacker-controlled requests. Set keySeparator to false to disable backend key splitting, noting that this also disables nested translation keys. More generally, prevent untrusted users from supplying missing-key names that are persisted by the backend.

Remediation

Patch, then assume compromise.

Upgrade i18next-fs-backend to version 2.6.6 or later. The fix blocks traversal through unsafe prototype-related path segments including 'proto', 'constructor', and 'prototype'. If available in your change-management process, deploy the vendor patch corresponding to the referenced fix commit 3ab0448087da6935a40117f904b7457281f963f4.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security online infoNews

Jun 18, 2026

i18next Prototype Pollution Hits 1M+ Downloads, CVSS 9.1

A critical prototype pollution vulnerability in i18next-fs-backend that allows an unauthenticated attacker to write arbitrary properties onto Object.prototype via crafted translation keys when missing-key persistence is exposed to untrusted input.

cvefeed high severityNews

Jun 15, 2026

CVE-2026-48713 - i18next-fs-backend: Prototype pollution via crafted missing-key string

A critical prototype pollution vulnerability in i18next-fs-backend caused by unsafe handling of crafted missing-key strings, allowing writes to Object.prototype when missing-key persistence is exposed to untrusted input.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-48713

NVD

nvd.nist.gov/vuln/detail/CVE-2026-48713

MITRE CWE · CWE-1321

Improperly Controlled Modification of Object…

github.com

github.com/i18next/i18next-fs-backend/commit/3ab0448087da6935a40117f904b7457281f963f4

github.com

github.com/i18next/i18next-fs-backend/security/advisories/GHSA-2933-q333-qg83