GHSA-mgcp-mfp8-3q45

Summary

Versions of i18next-locize-backend prior to 9.0.2 interpolate lng, ns, projectId, and version directly into the configured loadPath / privatePath / addPath / updatePath / getLanguagesPath URL templates with no path-component validation and no encoding. When an application exposes any of these values to user-controlled input (?lng= / ?ns= query parameters via i18next-browser-languagedetector, cookies, request headers, or a URL-derived projectId), a crafted value can change the structure of the outgoing request URL.

Affected call sites in lib/index.js (pre-patch): the interpolate() helper is used at the five URL-build sites — _readAny/read (line 415 for private, 426 for public), getLanguages (lines 271 and 296), and writePage (lines 616 and 622) for the missing-key and update POST paths. The helper interpolate in lib/utils.js substitutes raw values with no encoding.

Impact

An attacker who can influence lng, ns, projectId, or version can:

• Path traversal — lng = '../../admin' against https://api.locize.app/{{projectId}}/{{version}}/{{lng}}/{{ns}} changes the request URL path segment that reaches the locize CDN / API.
• Query-string injection — lng = 'en?x=y' appends an attacker-chosen query to the URL.
• Fragment truncation — lng = 'en#x' silently truncates the path in browser fetches.
• URL-encoded bypass — lng = 'en%2F..' leverages server-side decoding to reintroduce /...

The worst-case concrete impact is loading an unintended translation resource (potentially causing wrong content to render) and, when a custom loadPath is configured against an internal / file-scheme URL, SSRF or arbitrary-file read on the host running the backend.

Additionally, the pre-patch interpolate() function read data[key] without excluding prototype-chain properties — under prototype-pollution conditions in the same process, that path could pull values from Object.prototype into the URL.

Related fixes shipped in 9.0.2

• The defaults() helper replaces for...in iteration with Object.keys() plus an explicit prototype-key guard so a polluted Object.prototype cannot leak into the merged options object.
• New utils.interpolateUrl / isSafeUrlSegment / sanitizeLogValue / redactUrlCredentials helpers mirror the pattern shipped in i18next-http-backend@3.0.5 (see its advisory GHSA-q89c-q3h5-w34g).

Affected versions

All versions of i18next-locize-backend prior to 9.0.2.

Patch

Fixed in 9.0.2. lib/index.js now uses interpolateUrl() at every URL-build site and returns an error callback (or silently drops the queued write for writePage) when any interpolated value fails the safety check. Legitimate i18next language-code shapes (BCP-47, en_US, zh-Hant-HK, my-custom.ns, +-joined multi-language values) all pass.

Workarounds

No workaround short of upgrading. If you cannot upgrade immediately, sanitise lng / ns / projectId / version at your application boundary before passing them through to i18next — reject values containing .., /, \, ?, #, %, whitespace, control characters, and cap the length.

Credits

Discovered via an internal security audit of the i18next / locize ecosystem.

References

• CWE-22: Path Traversal
• CWE-74: Injection
• CWE-1321: Prototype Pollution (amplification path)
• Related advisory in the same ecosystem: GHSA-q89c-q3h5-w34g (i18next-http-backend)