CVE-2024-29042 in translateinfo

Summary

by MITRE • 03/22/2024

Translate is a package that allows users to convert text to different languages on Node.js and the browser. Prior to version 3.0.0, an attacker controlling the second variable of the `translate` function is able to perform a cache poisoning attack. They can change the outcome of translation requests made by subsequent users. The `opt.id` parameter allows the overwriting of the cache key. If an attacker sets the `id` variable to the cache key that would be generated by another user, they can choose the response that user gets served. Version 3.0.0 fixes this issue.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 12/05/2025

The vulnerability identified as CVE-2024-29042 affects the translate package used for text localization in Node.js and browser environments. This security flaw represents a significant cache poisoning attack vector that enables malicious actors to manipulate translation responses for other users. The vulnerability exists in versions prior to 3.0.0 where the translate function's second parameter, specifically the opt.id variable, creates a direct pathway for cache key manipulation. The flaw stems from insufficient input validation and improper cache key generation mechanisms that allow attackers to predict or control cache identifiers used for storing translation results. This represents a classic cache poisoning vulnerability where an attacker can inject malicious content into the cache system, leading to unauthorized modification of translation outputs.

The technical implementation of this vulnerability involves the translate function's handling of the opt.id parameter which serves as the cache key for storing translation results. When an attacker controls this parameter, they can set it to match the cache key that would normally be generated for another user's request. This allows them to overwrite legitimate cache entries with their own translation responses, effectively serving incorrect translations to subsequent users who make requests that match the manipulated cache key. The vulnerability specifically targets the cache management logic where the package fails to properly validate or sanitize the id parameter before using it as a cache key identifier. This flaw directly relates to CWE-200, which addresses information exposure through improper cache key handling, and CWE-345, which covers insufficient verification of data integrity in caching mechanisms. The attack vector operates through the principle of cache poisoning where unauthorized parties can influence cached content, leading to information corruption and potential downstream security implications.

The operational impact of this vulnerability extends beyond simple translation errors to create potential security risks in applications that rely on the translate package for internationalization services. When exploited, the vulnerability can lead to information disclosure where users receive translations that contain sensitive information, or information corruption where malicious translations could mislead users about the content they are reading. The attack can be particularly dangerous in web applications where translation services are used for user interfaces, documentation, or content management systems. An attacker could potentially manipulate translations to display misleading information, redirect users to malicious websites, or obscure important security warnings. This vulnerability also affects the integrity of the translation service itself, potentially undermining user trust in the application's internationalization capabilities. The impact is amplified in environments where the translate package is used across multiple user sessions or where translation results are cached for extended periods, as the poisoned cache entries can affect numerous users over time.

Mitigation strategies for CVE-2024-29042 require immediate implementation of version 3.0.0 or later which addresses the core cache key handling issue through proper input validation and sanitization. Organizations should conduct comprehensive vulnerability assessments to identify all applications using the affected translate package and ensure proper version updates are deployed across their infrastructure. The fix implemented in version 3.0.0 typically involves strengthening the cache key generation process to prevent external control of cache identifiers, implementing proper parameter validation for the opt.id field, and ensuring that cache keys are generated using secure cryptographic methods that cannot be manipulated by user input. Additionally, security teams should implement monitoring for unusual cache behavior patterns that might indicate attempted cache poisoning attacks, and establish proper input sanitization practices for all user-controllable parameters that could influence caching mechanisms. This vulnerability highlights the importance of secure coding practices around cache management and demonstrates the need for robust validation of all inputs that can affect system state, aligning with ATT&CK technique T1496 which addresses cache poisoning and data integrity manipulation attacks. Organizations should also consider implementing additional security controls such as cache invalidation policies and regular cache integrity checks to further protect against similar vulnerabilities in other components of their translation infrastructure.

Responsible

GitHub, Inc.

Reservation

03/14/2024

Disclosure

03/22/2024

Moderation

accepted

CPE

ready

EPSS

0.00650

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!