CVE-2026-48714 is a critical-severity security vulnerability in i18next-http-middleware (npm), affecting versions < 3.9.7. It is fixed in 3.9.7.
Impact i18next-http-middleware ≤ 3.9.6's missingKeyHandler blocked the literal request-body keys proto, constructor, and prototype (added in 3.9.3, see GHSA-5fgg-jcpf-8jjw), but did not reject dotted variants such as "proto.polluted". Downstream backends that split the missing-key string on a configured keySeparator (notably i18next-fs-backend ≤ 2.6.5) hand these keys to an unguarded setPath() walker that writes to Object.prototype. Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5 are directly exploitable for remote prototype pollution. Other downstream backends that split the missing-key string the same way may be similarly affected. Depending on the host application, polluted prototype properties may cause crashes, corrupted translation behaviour, configuration poisoning, or bypasses of property-based security checks. Patches Fixed in i18next-http-middleware 3.9.7. A new utils.hasUnsafeKeySegment(key, keySeparator) helper is now used by missingKeyHandler; the configured i18next.options.keySeparator is honoured (default .; false disables segment splitting and only the literal-key denylist applies). Legitimate dotted keys (e.g. "header.title") are unaffected. The root-cause fix has been shipped in i18next-fs-backend 2.6.6, see the companion advisory. Workarounds If users cannot upgrade immediately: Do not expose missingKeyHandler to untrusted users (mount it behind authentication, or remove the route). Add a request-body filter ahead of the handler that rejects any top-level key containing proto, constructor, or prototype after splitting on a configured keySeparator. Disable missing-key persistence (saveMissing: false) when accepting writes from untrusted input. Resources Original report by @codeswhite. Companion advisory in i18next-fs-backend: GHSA-2933-q333-qg83. Previous i18next-http-middleware security release: GHSA-5fgg-jcpf-8jjw and GHSA-c3h8-g69v-pjrg (in 3.9.3).
CVE-2026-48714 has a CVSS score of 9.1 (Critical). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment.
A fixed version is available (3.9.7). Upgrading removes the vulnerable code path.
npm
i18next-http-middleware (< 3.9.7)i18next-http-middleware → 3.9.7 (npm)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's runtime-powered SCA identifies whether CVE-2026-48714 is reachable in your applications. Explore open-source security for your team.
See if CVE-2026-48714 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-48714 in your environment →Upgrade i18next-http-middleware to 3.9.7 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-48714 is a critical-severity security vulnerability in i18next-http-middleware (npm), affecting versions < 3.9.7. It is fixed in 3.9.7.
CVE-2026-48714 has a CVSS score of 9.1 (Critical). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
i18next-http-middleware (npm) versions < 3.9.7 is affected.
Yes. CVE-2026-48714 is fixed in 3.9.7. Upgrade to this version or later.
Whether CVE-2026-48714 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade i18next-http-middleware to 3.9.7 or later.