6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16010

GHSA ID

GHSA-cmh5-qc8w-xvcq

EPSS Score

0.45009%

CWE

CWE-79

Published

7/24/2018

Updated

9/8/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2017-16010

CVE-2017-16010: Cross-Site Scripting in i18next

Affected versions of i18next may fail to sanitize user input when certain configuration options are used. When using the .init method, passing interpolation options without passing an escapeValue will default to undefined rather than the assumed true.

Proof of Concept

var init = i18n.init({
  interpolation: {
    prefix: "__",
    suffix: "__",
    escapeValue: true
  }
}, function(){
  var test = i18n.t('__firstName__ __lastName__', {
        firstName: 'Bob',
        lastName: '["foo","bar"]',
  });
  console.log(test);
});

When escapeValue is explicitly passed, the result of test is:

&lt;script&gt;alert(1)&lt;&#x2F;script&gt; Johnson

This is supposed to be the default. However, if escapeValue is not included, the result is the unescaped string:

<script>alert(1)</script> Johnson

Recommendation

Update to version 3.4.4 or later.

(GitHub Advisory)

6.1

CVSS Score

3.0

Basic Information

CVE ID

CVE-2017-16010

GHSA ID

GHSA-cmh5-qc8w-xvcq

EPSS Score

0.45009%

CWE

CWE-79

Published

7/24/2018

Updated

9/8/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
i18next	npm	>= 2.0.0, < 3.4.4	3.4.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security patch modifies the Interpolator constructor's handling of the escapeValue option. In vulnerable versions, when escapeValue wasn't explicitly provided in interpolation options, it remained undefined rather than defaulting to true. This constructor is directly responsible for initializing the escaping behavior, and its incorrect default value propagation would appear in any stack trace initializing the i18n instance with vulnerable configuration. The interpolate() method that processes values would inherit this insecure configuration, but the root cause is in the constructor's initialization logic as shown in the patch.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*****t** v*rsions o* `i**n*xt` m*y **il to s*nitiz* us*r input w**n **rt*in *on*i*ur*tion options *r* us**. W**n usin* t** `.init` m*t*o*, p*ssin* int*rpol*tion options wit*out p*ssin* *n `*s**p*V*lu*` will ****ult to `un***in**` r*t**r t**n t** *ssu

Reasoning

T** s**urity p*t** mo*i*i*s t** Int*rpol*tor *onstru*tor's **n*lin* o* t** *s**p*V*lu* option. In vuln*r**l* v*rsions, w**n `*s**p*V*lu*` w*sn't *xpli*itly provi*** in int*rpol*tion options, it r*m*in** un***in** r*t**r t**n ****ultin* to tru*. T*is

6.1

Basic Information

Concerned about an active attack path?

CVE-2017-16010: Cross-Site Scripting in i18next

Proof of Concept

Recommendation

6.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI