CVE-2017-16010: Cross-Site Scripting in i18next
6.1
CVSS Score
3.0
Basic Information
CVE ID
GHSA ID
EPSS Score
0.45009%
CWE
Published
7/24/2018
Updated
9/8/2023
KEV Status
No
Technology
JavaScript
Technical Details
CVSS Vector
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
i18next | npm | >= 2.0.0, < 3.4.4 | 3.4.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The security patch modifies the Interpolator constructor's handling of the escapeValue option. In vulnerable versions, when escapeValue
wasn't explicitly provided in interpolation options, it remained undefined rather than defaulting to true. This constructor is directly responsible for initializing the escaping behavior, and its incorrect default value propagation would appear in any stack trace initializing the i18n
instance with vulnerable configuration. The interpolate()
method that processes values would inherit this insecure configuration, but the root cause is in the constructor's initialization logic as shown in the patch.