QID 983937
QID 983937: Nodejs (npm) Security Update for i18next (GHSA-cmh5-qc8w-xvcq)
Affected versions of `i18next` may fail to sanitize user input when certain configuration options are used. When using the `.init` method, passing interpolation options without passing an `escapeValue` will default to `undefined` rather than the assumed `true`. ## Proof of Concept ``` var init = i18n.init({ interpolation: { prefix: "__", suffix: "__", escapeValue: true } }, function(){ var test = i18n.t('__firstName__ __lastName__', { firstName: 'Bob', lastName: '["foo","bar"]', }); console.log(test); }); ``` When `escapeValue` is explicitly passed, the result of `test` is: ``` <script>alert(1)</script> Johnson ``` This is supposed to be the default. However, if `escapeValue` is not included, the result is the unescaped string: ``` <SCRIPT>alert(1)</SCRIPT> Johnson ``` ## Recommendation Update to version 3.4.4 or later.
Successful exploitation of this vulnerability may affect the confidentiality, integrity, and availability of the targeted user.
- GHSA-cmh5-qc8w-xvcq -
github.com/advisories/GHSA-cmh5-qc8w-xvcq
CVEs related to QID 983937
| Advisory ID | Software | Component | Link |
|---|---|---|---|
| GHSA-cmh5-qc8w-xvcq | i18next |
github.com/advisories/GHSA-cmh5-qc8w-xvcq |