Security Advisory - Published 2026-06-16 - Node.js / i18n Middleware
CVE-2026-48714: check i18next-http-middleware before 3.9.7
CVE-2026-48714 affects Node.js, Fastify, Express, and Deno applications using i18next-http-middleware before 3.9.7 when missing-key write handling is reachable from untrusted users with a vulnerable backend setup.
Who is affected
- Applications with
i18next-http-middlewarebelow 3.9.7. - Apps that expose missing-translation write routes outside trusted admin traffic.
- Deployments that persist missing keys through a backend package or custom storage layer.
Owner self-check
npm ls i18next-http-middleware i18next-fs-backend
rg "missingKeyHandler|saveMissing|i18next-fs-backend|addMissingKey" .
rg "i18next-http-middleware" package.json package-lock.json pnpm-lock.yaml yarn.lock A clean result means the middleware is upgraded, missing-key writes are not reachable from public traffic, and translation persistence logs show only expected application paths.
Safe fix
- Upgrade
i18next-http-middlewareto 3.9.7 or later. - Disable public missing-key writes unless the route is needed.
- Put any remaining write route behind authentication and application-level authorization.
- Review recent translation files or backend writes for unexpected keys after 2026-06-15.
- Redeploy from a clean lockfile and keep the old artifact for incident review if suspicious writes are found.
When to request repair
Use Ping7 CVE Repair if the application exposed missing-key writes to the internet, dependency history is unclear, logs show unexpected translation writes, or the service shares a host with production secrets.