i18next-http-backend URL Injection Vulnerability Allowing Path Traversal and SSRF

A URL injection vulnerability has been identified in the i18next-http-backend library, specifically in versions prior to 3.0.5. This vulnerability allows for path traversal and server-side request forgery (SSRF) by injecting characters into the language ('lng') and namespace ('ns') values. The library interpolates these values directly into URL templates without proper sanitization or validation. When user-controlled input is introduced, an attacker can manipulate the outgoing request URL, potentially leading to unauthorized access or actions on the server.

Impact

Exploitation of this vulnerability allows an attacker to manipulate the structure of outgoing request URLs, leading to path traversal, query-string injection, fragment truncation, and URL-encoded bypasses. The most severe consequences include SSRF, when internal or file-scheme URLs are targeted, and path-based authorization bypasses on servers that segment access by URL prefix.

Reproduction

To reproduce this vulnerability, use a version of i18next-http-backend prior to 3.0.5. Configure the library to read language and namespace values from user-controlled sources, such as query parameters or headers. Inject unsafe characters into the lng or ns values, which will be interpolated into the URL path without proper sanitization. This can be done by crafting a request that includes the malicious lng or ns values, exploiting the absence of validation to manipulate the resulting URL in a harmful way.

Remediation

Upgrade to i18next-http-backend version 3.0.5 or later. If an immediate upgrade is not possible, manually sanitize the lng and ns values to remove any control characters, path traversal indicators, or URL-structure altering characters before they are processed by i18next.