i18next-http-middleware HTTP Response Splitting and Denial-of-Service Vulnerability

A vulnerability in i18next-http-middleware versions prior to 3.9.3 allows user-controlled language values to be written into the Content-Language response header. These values are first processed by an HTML-entity encoder that fails to remove control characters. In applications using an older version of i18next (prior to 19.5.0) that still applied backward-compatibility fallbacks, CRLF sequences in the lng parameter could be injected into the response header verbatim. This vulnerability can lead to HTTP response splitting and denial-of-service, depending on the Node.js version.

Impact

In Node.js versions prior to 14.6.0, this vulnerability causes HTTP response splitting, allowing attackers to inject additional HTTP response headers. This could be exploited for session fixation, cache poisoning, or reflected cross-site scripting. In Node.js versions 14.6.0 and later, the vulnerability causes a denial-of-service by throwing an error when the Content-Language header value contains CRLF, which is not handled properly, resulting in a 500 response for all concurrent users sharing that process.

Remediation

Users are advised to upgrade to i18next-http-middleware version 3.9.3 or later. For those unable to upgrade, a partial mitigation involves front-proxying the middleware with a WAF rule that rejects control characters in query parameters, cookies, and path segments.