CVE-2026-42353 | THREATINT

Description

i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and also for Deno. Prior to version 3.9.3, i18next-http-middleware passes the user-controlled lng and ns values from getResourcesHandler directly into i18next.services.backendConnector.load(languages, namespaces, …) without any sanitization. Depending on which backend is configured, the unvalidated path segments enable either path traversal or SSRF. This issue has been patched in version 3.9.3.

PUBLISHED Reserved 2026-04-26 | Published 2026-05-08 | Updated 2026-05-08 | Assigner GitHub_M

HIGH: 8.2CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Problem types

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-918: Server-Side Request Forgery (SSRF)

Product status

< 3.9.3

affected

References

github.com/...leware/security/advisories/GHSA-jfgf-83c5-2c4m

cve.org (CVE-2026-42353)

nvd.nist.gov (CVE-2026-42353)

Download JSON