i18next-http-middleware Path Traversal and SSRF Vulnerability

A vulnerability in i18next-http-middleware versions prior to 3.9.3 allows for path traversal or server-side request forgery (SSRF) attacks. The middleware passes user-controlled language and namespace values directly to the i18next backend connector without proper sanitization. This oversight can be exploited depending on the configured backend: with i18next-fs-backend, it enables unauthorized file access, while with i18next-http-backend, it allows requests to internal services that could lead to credential theft.

Impact

Exploitation of this vulnerability could result in arbitrary file read access through filesystem-style backends, or SSRF via HTTP-style backends, potentially allowing access to internal services or cloud metadata endpoints for credential theft.

Reproduction

To reproduce this vulnerability, send a request to the locales resources endpoint with crafted lng and ns parameters. The i18next-fs-backend will read the specified file from the server's filesystem, while the i18next-http-backend will forward the request to an internal service, which could be exploited to access sensitive data.

Remediation

Users are advised to upgrade to i18next-http-middleware version 3.9.3 or later. Additionally, upgrading the backend to i18next-fs-backend version 2.6.4 or i18next-http-backend version 3.0.5 will also mitigate the vulnerability.