Critical

Remote Prototype Pollution in i18next-http-middleware missingKeyHandler

IdentifiersCVE-2026-48714CWE-1321· Improperly Controlled Modification…

CVE-2026-48714 is a prototype pollution vulnerability in i18next-http-middleware affecting versions prior to 3.9.7. The flaw is in missingKeyHandler: although the middleware blocked literal request-body keys such as proto, constructor, and prototype beginning in 3.9.3, it failed to reject dotted variants such as "proto.polluted". When such attacker-controlled keys are forwarded to downstream backends that split missing-key strings using a configured keySeparator, notably i18next-fs-backend <= 2.6.5, they can reach an unguarded setPath()-style walker and cause writes to Object.prototype. In deployments that expose missingKeyHandler to untrusted input, this creates a remotely exploitable prototype pollution condition.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows remote modification of Object.prototype in affected application contexts. Depending on how the host application uses object properties, this can lead to application crashes, corrupted translation behavior, configuration poisoning, and bypass of property-based security checks. The advisory describes the issue as remotely exploitable and assigns CVSS 3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H (9.1 Critical), indicating high integrity and availability impact.

Mitigation

If you can’t patch tonight, do this now.

If immediate upgrade is not possible, do not expose missingKeyHandler to untrusted users; place the route behind authentication or remove it entirely. Add request-body filtering before the handler to reject any top-level key containing proto, constructor, or prototype after splitting on the configured keySeparator. Disable missing-key persistence by setting saveMissing to false when accepting writes influenced by untrusted input.

Remediation

Patch, then assume compromise.

Upgrade i18next-http-middleware to version 3.9.7 or later, which fixes the missingKeyHandler validation gap. Also review downstream backend dependencies, especially i18next-fs-backend, and update vulnerable backends where applicable because exploitation depends on unsafe key splitting and path traversal behavior downstream.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app

security online infoNews

Jun 18, 2026

i18next Prototype Pollution Hits 1M+ Downloads, CVSS 9.1

A companion middleware vulnerability that expands the attack surface and helps remote input reach the vulnerable code path associated with the i18next-fs-backend prototype pollution issue.

cvefeed high severityNews

Jun 15, 2026

CVE-2026-48714 - i18next-http-middleware missingKeyHandler does not reject keys whose segments contain prototype-polluting names

A critical remote prototype pollution vulnerability in i18next-http-middleware's missingKeyHandler that can allow untrusted input to write to Object.prototype via dotted keys, especially when used with i18next-fs-backend 2.6.5 or earlier.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity5

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-48714

NVD

nvd.nist.gov/vuln/detail/CVE-2026-48714

MITRE CWE · CWE-1321

Improperly Controlled Modification of Object…

github.com

github.com/i18next/i18next-http-middleware/commit/7c6d26f137d3e940b8d229ca148bca38845faf49

github.com

github.com/i18next/i18next-http-middleware/security/advisories/GHSA-f49m-vf83-692w