i18next-http-middleware Prototype Pollution Vulnerability Allowing Authorization Bypass and Potential Remote Code Execution

A prototype pollution vulnerability has been identified in i18next-http-middleware versions prior to 3.9.3. This vulnerability allows an unauthenticated HTTP client to manipulate Object.prototype in the Node.js process running the middleware. The issue arises from two unvalidated entry points, 'getResourcesHandler' and 'missingKeyHandler', which write internal object keys without proper validation. Exploiting this vulnerability can disrupt authorization checks, cause type-confusion denial-of-service, and potentially lead to remote code execution, depending on the downstream code.

Impact

Exploitation of this vulnerability allows for unauthorized modification of Object.prototype, which can break authorization checks, cause denial-of-service conditions through type confusion, and potentially be exploited to achieve remote code execution, depending on the application's handling of the polluted objects.

Reproduction

To reproduce this vulnerability, send a GET request to '/locales/resources.json' with the 'lng' parameter set to '__proto__' and the 'ns' parameter set to 'isAdmin'. This will write a property into Object.prototype that can bypass authorization checks. Alternatively, a POST request with a body containing '__proto__' as a key and an object with 'isAdmin' set to true as the value can be sent to the same endpoint, achieving the same effect through the 'missingKeyHandler' entry point.

Remediation

Users are advised to upgrade to i18next-http-middleware version 3.9.3 or later. The patched version blocks prototype-related keys in the 'getResourcesHandler' and 'missingKeyHandler' functions, preventing the pollution of Object.prototype. For those unable to upgrade, a partial mitigation can be applied by front-proxying the middleware with a Web Application Firewall rule that rejects requests containing prototype-related keys in the 'lng' or 'ns' query parameters or in the request body.