SCA: security update for i18next-http-middleware (GHSA-f49m-vf83-692w)

critical Tenable Self-Hosted Container Security Plugin ID 443936

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- i18next-http-middleware is a middleware to be used with Node.js web frameworks like express or Fastify and
also for Deno. In versions prior to 3.9.7, the missingKeyHandler blocked the literal request-body keys
__proto__, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted
variants such as "__proto__.polluted". Downstream backends that split the missing-key string on a
configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath()
walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND
use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream
backends that split the missing-key string the same way may be similarly affected. Depending on the host
application, polluted prototype properties may cause crashes, corrupted translation behaviour,
configuration poisoning, or bypasses of property-based security checks. This issue has been fixed in
version 3.9.7. If developers cannot upgrade immediately, they should do the following: do not expose
missingKeyHandler to untrusted users (mount it behind authentication, or remove the route), add a request-
body filter ahead of the handler that rejects any top-level key containing __proto__, constructor, or
prototype after splitting on their configured keySeparator, and disable missing-key persistence
(saveMissing: false) when accepting writes from untrusted input. (CVE-2026-48714)

Solution

Update the i18next-http-middleware library and its related packages to version 3.9.7 or later.

See Also

https://github.com/advisories/GHSA-f49m-vf83-692w

Plugin Details

Severity: Critical

ID: 443936

Version: Revision 1.2

Type: Local

Family: SCA Checks

Published: 6/26/2026

Updated: 7/2/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Medium

Score: 6.3

Percentile: 96.77

Vendor

Vendor Severity: Critical

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:C

CVSS Score Source: CVE-2026-48714

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 6/25/2026

Vulnerability Publication Date: 6/15/2026

Reference Information

CVE: CVE-2026-48714