6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16008

GHSA ID

GHSA-f89g-whpf-6q9m

EPSS Score

0.45059%

CWE

CWE-79

Published

11/9/2018

Updated

9/8/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16008

CVE-2017-16008:
Cross-Site Scripting in i18next

Affected versions of i18next allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability.

Proof of Concept

var init = i18n.init({debug: true}, function(){
  var test = i18n.t('__firstName__ __lastName__', {
        escapeInterpolation: true,
        firstName: '__lastNameHTML__',
        lastName: '<script>',
  });
  console.log(test);
});
// equals "<script> &lt;script&gt;"

Recommendation

Update to version 1.10.3 or later.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16008

GHSA ID

GHSA-f89g-whpf-6q9m

EPSS Score

0.45059%

CWE

CWE-79

Published

11/9/2018

Updated

9/8/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
i18next	npm	<= 1.10.2	1.10.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stemmed from how interpolation replacements were handled. The original applyReplacement function iterated over each key in the replacement hash, recursively processing nested keys. This allowed attacker-controlled values (like 'lastNameHTML') to act as new interpolation keys, enabling script injection. The patch replaced this with a single-pass regex to prevent recursive resolution. The function signature is directly visible in the pre-patch code's f.each loop and recursive applyReplacement calls.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `i**n*xt` *llow untrust** us*r input to ** inj**t** into *i*tion*ry k*y n*m*s, r*sultin* in * *ross-sit* s*riptin* vuln*r**ility. ## Proo* o* *on**pt ```js v*r init = i**n.init({***u*: tru*}, *un*tion(){ v*r t*st = i**n.t('__*

Reasoning

T** vuln*r**ility st*mm** *rom *ow int*rpol*tion r*pl***m*nts w*r* **n*l**. T** ori*in*l *pplyR*pl***m*nt *un*tion it*r*t** ov*r **** k*y in t** r*pl***m*nt **s*, r**ursiv*ly pro**ssin* n*st** k*ys. T*is *llow** *tt**k*r-*ontroll** v*lu*s (lik* '__l*

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-16008: Cross-Site Scripting in i18next

Proof of Concept

Recommendation

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2017-16008:
Cross-Site Scripting in i18next

Vulnerability Intelligence
Miggo AI