i18next-locize-backend Path Traversal and URL Injection Vulnerability

A path traversal and URL injection vulnerability exists in i18next-locize-backend versions prior to 9.0.2. The issue arises because the backend interpolates language, namespace, project ID, and version directly into the URL templates for various paths without proper validation or encoding. This flaw allows an attacker to manipulate the request URL structure by exploiting user-controlled input, such as query parameters, cookies, request headers, or derived project IDs. The vulnerability could lead to unintended resource loading, potentially causing incorrect content to be displayed, or, in cases where a custom load path is set to an internal or file-scheme URL, server-side request forgery or arbitrary file reading on the host running the backend.

Impact

Exploitation of this vulnerability could result in path traversal, allowing access to restricted areas of the application, or URL injection, appending attacker-chosen queries to the URL. The most severe consequence could be loading an incorrect translation resource, disrupting content delivery, or causing server-side request forgery or arbitrary file reading, depending on the application's configuration.

Remediation

Users are advised to upgrade to i18next-locize-backend version 9.0.2 or later. If an immediate upgrade is not possible, sanitize the 'lng', 'ns', 'projectId', and 'version' values at the application level before passing them to i18next. Reject any values containing path traversal sequences, control characters, or certain URL-encoded characters, and limit the length of these inputs.