| शीर्षक | Node.js gettext-converter 1.3.2 Prototype Pollution |
|---|
| विवरण | `js2i18next()` is vulnerable to prototype pollution when converting gettext-style translation data into i18next JSON. The issue is triggered when a translation key contains the configured key separator (`##` by default) and one of the generated path segments is a prototype pollution primitive such as `__proto__`.
During conversion, `js2i18next()` treats separator-delimited keys as nested object paths. It splits the key and then uses each segment directly as a dynamic property name on a normal JavaScript object. For a key such as `__proto__##gcPolluted`, the first segment causes the code to resolve `appendTo["__proto__"]` through the inherited `__proto__` accessor. Instead of creating a safe own property on the output object, the converter follows the prototype chain and sets the current append target to `Object.prototype`.
The final translation value is then merged with `Object.assign(appendTo, newValues)`. At that point, `appendTo` is `Object.prototype`, so the converted translation is written onto the global object prototype. After this happens, unrelated plain objects inherit the polluted property.
This can affect applications that convert untrusted or partially trusted translation files, localization bundles, or user-provided gettext data. Prototype pollution may lead to unexpected application behavior, denial of service, option/default confusion, or logic bypasses in code that relies on normal object property lookups. |
|---|
| स्रोत | ⚠️ https://github.com/locize/gettext-converter/issues/15 |
|---|
| उपयोगकर्ता | wjm1 (UID 98929) |
|---|
| सबमिशन | 12/06/2026 07:03 PM (1 महीना पहले) |
|---|
| संयम | 17/07/2026 09:38 PM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 379922 [locize gettext-converter तक 1.3.2 lib/js2i18next.js js2i18next अधिकार वृद्धि] |
|---|
| अंक | 20 |
|---|