Security Advisory - Published 2026-06-16 - Node.js / i18n Middleware

CVE-2026-48714: check i18next-http-middleware before 3.9.7

CVE-2026-48714 affects Node.js, Fastify, Express, and Deno applications using i18next-http-middleware before 3.9.7 when missing-key write handling is reachable from untrusted users with a vulnerable backend setup.

Defensive scope: this page is for owned codebases and client-approved review. It avoids request samples and abuse instructions.

Who is affected

  • Applications with i18next-http-middleware below 3.9.7.
  • Apps that expose missing-translation write routes outside trusted admin traffic.
  • Deployments that persist missing keys through a backend package or custom storage layer.

Owner self-check

npm ls i18next-http-middleware i18next-fs-backend
rg "missingKeyHandler|saveMissing|i18next-fs-backend|addMissingKey" .
rg "i18next-http-middleware" package.json package-lock.json pnpm-lock.yaml yarn.lock

A clean result means the middleware is upgraded, missing-key writes are not reachable from public traffic, and translation persistence logs show only expected application paths.

Safe fix

  • Upgrade i18next-http-middleware to 3.9.7 or later.
  • Disable public missing-key writes unless the route is needed.
  • Put any remaining write route behind authentication and application-level authorization.
  • Review recent translation files or backend writes for unexpected keys after 2026-06-15.
  • Redeploy from a clean lockfile and keep the old artifact for incident review if suspicious writes are found.

When to request repair

Use Ping7 CVE Repair if the application exposed missing-key writes to the internet, dependency history is unclear, logs show unexpected translation writes, or the service shares a host with production secrets.

References