i18next-fs-backend Path Traversal Vulnerability Allowing Arbitrary File Read/Overwrite

A path traversal vulnerability has been identified in i18next-fs-backend versions prior to 2.6.4. This vulnerability allows for arbitrary file reading and overwriting by exploiting unsanitized 'lng' and 'ns' options, which are directly interpolated into file path templates without proper validation. When these options are derived from untrusted input, an attacker can manipulate the values to access or modify files outside the designated locale directory. The issue arises in Node.js environments, particularly when i18next instances are exposed to HTTP layers that allow user input to dictate language preferences.

Impact

Exploitation of this vulnerability could lead to unauthorized reading of any file accessible to the Node process, including sensitive information such as source code, configuration files, SSH keys, and Docker secrets. Additionally, if the 'saveMissing' feature is enabled, the vulnerability could be used to overwrite files with attacker-controlled JSON data, potentially corrupting files or injecting malicious configuration that could be executed by other processes.

Remediation

Users are advised to upgrade to i18next-fs-backend version 2.6.4 or later. If an immediate upgrade is not possible, 'lng' and 'ns' values should be sanitized at the application level to remove any potentially harmful characters or patterns before they are processed by the i18next-fs-backend.