Miggo Logo

CVE-2017-16008: Cross-Site Scripting in i18next

6.1

CVSS Score
3.0

Basic Information

EPSS Score
0.45059%
Published
11/9/2018
Updated
9/8/2023
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
i18nextnpm<= 1.10.21.10.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from how interpolation replacements were handled. The original applyReplacement function iterated over each key in the replacement hash, recursively processing nested keys. This allowed attacker-controlled values (like 'lastNameHTML') to act as new interpolation keys, enabling script injection. The patch replaced this with a single-pass regex to prevent recursive resolution. The function signature is directly visible in the pre-patch code's f.each loop and recursive applyReplacement calls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `i**n*xt` *llow untrust** us*r input to ** inj**t** into *i*tion*ry k*y n*m*s, r*sultin* in * *ross-sit* s*riptin* vuln*r**ility. ## Proo* o* *on**pt ```js v*r init = i**n.init({***u*: tru*}, *un*tion(){ v*r t*st = i**n.t('__*

Reasoning

T** vuln*r**ility st*mm** *rom *ow int*rpol*tion r*pl***m*nts w*r* **n*l**. T** ori*in*l *pplyR*pl***m*nt *un*tion it*r*t** ov*r **** k*y in t** r*pl***m*nt **s*, r**ursiv*ly pro**ssin* n*st** k*ys. T*is *llow** *tt**k*r-*ontroll** v*lu*s (lik* '__l*