| Titolo | Node.js gettext-converter 1.3.2 Prototype Pollution |
|---|
| Descrizione | `js2i18next()` is vulnerable to prototype pollution when converting gettext-style translation data into i18next JSON. The issue is triggered when a translation key contains the configured key separator (`##` by default) and one of the generated path segments is a prototype pollution primitive such as `__proto__`.
During conversion, `js2i18next()` treats separator-delimited keys as nested object paths. It splits the key and then uses each segment directly as a dynamic property name on a normal JavaScript object. For a key such as `__proto__##gcPolluted`, the first segment causes the code to resolve `appendTo["__proto__"]` through the inherited `__proto__` accessor. Instead of creating a safe own property on the output object, the converter follows the prototype chain and sets the current append target to `Object.prototype`.
The final translation value is then merged with `Object.assign(appendTo, newValues)`. At that point, `appendTo` is `Object.prototype`, so the converted translation is written onto the global object prototype. After this happens, unrelated plain objects inherit the polluted property.
This can affect applications that convert untrusted or partially trusted translation files, localization bundles, or user-provided gettext data. Prototype pollution may lead to unexpected application behavior, denial of service, option/default confusion, or logic bypasses in code that relies on normal object property lookups. |
|---|
| Fonte | ⚠️ https://github.com/locize/gettext-converter/issues/15 |
|---|
| Utente | wjm1 (UID 98929) |
|---|
| Sottomissione | 12/06/2026 19:03 (1 mese fa) |
|---|
| Moderazione | 17/07/2026 21:38 (1 month later) |
|---|
| Stato | Accettato |
|---|
| Voce VulDB | 379922 [locize gettext-converter fino a 1.3.2 lib/js2i18next.js js2i18next escalationi di privilegi] |
|---|
| Punti | 20 |
|---|