EXECUTIVE SUMMARY:
CVE-2026-42353 is a vulnerability in the i18next-http-middleware npm package, with a CVSS score of 8.2, where user-controlled input parameters are passed without proper sanitization to backend resource loaders. This flaw enables attackers to exploit path traversal when using filesystem-based backends, allowing unauthorized reading of sensitive files, or trigger server-side request forgery when using HTTP-based backends, enabling access to internal services or cloud metadata endpoints. Additionally, improper handling of namespace values can lead to memory exhaustion through uncontrolled growth. The issue requires no authentication and can be exploited remotely with low complexity, posing significant risks to data confidentiality.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-42353 is a vulnerability in the i18next-http-middleware npm package, with a CVSS score of 8.2, where user-controlled input parameters are passed without proper sanitization to backend resource loaders. This flaw enables attackers to exploit path traversal when using filesystem-based backends, allowing unauthorized reading of sensitive files, or trigger server-side request forgery when using HTTP-based backends, enabling access to internal services or cloud metadata endpoints. Additionally, improper handling of namespace values can lead to memory exhaustion through uncontrolled growth. The issue requires no authentication and can be exploited remotely with low complexity, posing significant risks to data confidentiality.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update i18next-http-middleware to version 3.9.6 or later.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-jfgf-83c5-2c4m