| عنوان | Node.js gettext-converter 1.3.2 Prototype Pollution |
|---|
| الوصف | `js2i18next()` is vulnerable to prototype pollution when converting gettext-style translation data into i18next JSON. The issue is triggered when a translation key contains the configured key separator (`##` by default) and one of the generated path segments is a prototype pollution primitive such as `__proto__`.
During conversion, `js2i18next()` treats separator-delimited keys as nested object paths. It splits the key and then uses each segment directly as a dynamic property name on a normal JavaScript object. For a key such as `__proto__##gcPolluted`, the first segment causes the code to resolve `appendTo["__proto__"]` through the inherited `__proto__` accessor. Instead of creating a safe own property on the output object, the converter follows the prototype chain and sets the current append target to `Object.prototype`.
The final translation value is then merged with `Object.assign(appendTo, newValues)`. At that point, `appendTo` is `Object.prototype`, so the converted translation is written onto the global object prototype. After this happens, unrelated plain objects inherit the polluted property.
This can affect applications that convert untrusted or partially trusted translation files, localization bundles, or user-provided gettext data. Prototype pollution may lead to unexpected application behavior, denial of service, option/default confusion, or logic bypasses in code that relies on normal object property lookups. |
|---|
| المصدر | ⚠️ https://github.com/locize/gettext-converter/issues/15 |
|---|
| المستخدم | wjm1 (UID 98929) |
|---|
| ارسال | 12/06/2026 07:03 PM (1 شهر منذ) |
|---|
| الاعتدال | 17/07/2026 09:38 PM (1 month later) |
|---|
| الحالة | تمت الموافقة |
|---|
| إدخال VulDB | 379922 [locize gettext-converter حتى 1.3.2 lib/js2i18next.js js2i18next تجاوز الصلاحيات] |
|---|
| النقاط | 20 |
|---|