CVE-2026-41690
Port of i18next-http-middleware CVE-2026-41690 prototype-pollution-via-dotted-segment into mashpie/i18n-node. The i18n-node library already hosts an analogous dotted-key traversal in localeMutator / localeAccessor (i18n.js): `singular.split(objectNotation).reduce((object, index) => ... object[index] = value, locales[locale])`. The vulnerable port weakens the per-segment existence check from Object.prototype.hasOwnProperty.call to a plain `object[index] === undefined`, matching the shape of i18next-http-middleware's pre-3.9.3 setPath. Attacker-controlled dotted keys reaching the public `__` / `__n` API then walk through inherited Object members and write to the shared prototype — leading (`__proto__.polluted`), non-leading (`foo.__proto__.x` — the v3.9.7-style follow-up bypass), and deeper constructor.prototype chains all reach Object.prototype. Fix re-introduces the segment guard at every position via a small lib/safe-set.js helper referenced from both traversal functions.
jsCWE-1321highported c8
github.com/mashpie/i18n-node- disclosed
- 2026-06-02
- kind
- ported
- complexity
- 8/10
- recency
- current
Instruction
The Node.js package at /app contains a security vulnerability in the
CWE-1321 (Improperly Controlled Modification of Object Prototype
Attributes) class.
Audit the codebase for a vulnerability of this class. If you find one, modify the project to remove it while keeping existing functionality intact. If you find no such vulnerability, make no changes.
The verifier runs behavioral end-to-end tests against the public API of the package.
Oracle — security tests
- oracle_proto_pollution.cjs
Runs
10 fcv cases on this task| model | trajectory | |||
|---|---|---|---|---|
gpt-5.3-codex | pass | 52.3 | 240s | trajectory |
gpt-5.3-codex | pass | 52.3 | 240s | — |
gpt-5.3-codex | pass | 52.3 | 240s | — |
gpt-5.5 | pass | 75.9 | 364s | trajectory |
gpt-5.5 | pass | 75.9 | 364s | — |
gpt-5.5 | pass | 75.9 | 364s | — |
glm-5.2 | pass | 75.4 | 823s | trajectory |
glm-5.2 | pass | 75.4 | 823s | — |
glm-5.2 | pass | 75.4 | 823s | — |
deepseek-v4-pro | pass | 78.7 | 864s | trajectory |
deepseek-v4-pro | pass | 78.7 | 864s | — |
deepseek-v4-pro | pass | 78.7 | 864s | — |
kimi-k2.7-code | pass | 103.7 | 1103s | trajectory |
kimi-k2.7-code | pass | 103.7 | 1103s | — |
kimi-k2.7-code | pass | 103.7 | 1103s | — |
glm-5.1 | pass | 103.3 | 1605s | trajectory |
glm-5.1 | pass | 103.3 | 1605s | — |
kimi-k2.6 | pass | 121.6 | 2519s | trajectory |
kimi-k2.6 | pass | 121.6 | 2519s | — |
kimi-k2.6 | pass | 121.6 | 2519s | — |
claude-haiku-4-5 | fail | 90.5 | 530s | — |
claude-haiku-4-5 | fail | 90.5 | 530s | — |
claude-haiku-4-5 | fail | 90.5 | 530s | — |
minimax-m2.7 | fail | 86.9 | 846s | — |
minimax-m2.7 | fail | 86.9 | 846s | — |
minimax-m2.7 | fail | 86.9 | 846s | — |
claude-opus-4-8 | fail | 107.9 | 1169s | — |
claude-opus-4-8 | fail | 107.9 | 1169s | — |
claude-opus-4-8 | fail | 107.9 | 1169s | — |
glm-5.1 | fail | 103.3 | 1605s | — |