CVE-2016-10524
Description
i18n-node-angular before 1.4.0 left a development REST API endpoint enabled in production, allowing DoS or content injection.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
i18n-node-angular before 1.4.0 left a development REST API endpoint enabled in production, allowing DoS or content injection.
Vulnerability
i18n-node-angular is a module for using i18n-node with AngularJS. Versions before 1.4.0 expose a REST API endpoint /i18n/:locale/:phrase that allows adding previously unknown translation literals to translation files. This endpoint was intended for development use only but was not disabled in production environments [1][2].
Exploitation
An attacker can send HTTP requests to the /i18n/:locale/:phrase endpoint without any authentication. By repeatedly sending requests with arbitrary phrases, the attacker can fill up the server's translation files, causing a Denial of Service due to resource exhaustion, or inject malicious content into the translation files [1][3].
Impact
Successful exploitation leads to Denial of Service (server resource exhaustion) or content injection (modification of translation data). The attacker does not need any special privileges beyond network access to the endpoint [2][4].
Mitigation
The fix was implemented in version 1.4.0 by wrapping the route registration in a check for process.env.NODE_ENV === 'development' [3]. Users should upgrade to i18n-node-angular 1.4.0 or later. The project is now archived and no longer maintained [1].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
i18n-node-angularnpm | < 1.4.0 | 1.4.0 |
Affected products
2- HackerOne/i18n-node-angular node modulev5Range: <1.4.0
Patches
1877720d2d9bb[FIX] Only register translate route during development
1 file changed · +4 −1
i18n-node-routes.js+4 −1 modified@@ -49,7 +49,10 @@ var configure = function( app, configObject ) { // Register routes app.get( "/i18n/:locale", i18nRoutes.i18n ); - app.get( "/i18n/:locale/:phrase", i18nRoutes.translate ); + + if( process.env.NODE_ENV === "development" ) { + app.get( "/i18n/:locale/:phrase", i18nRoutes.translate ); + } }; /**
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-97gv-3p2c-xw7jghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-10524ghsaADVISORY
- github.com/oliversalzburg/i18n-node-angular/commit/877720d2d9bb90dc8233706e81ffa03f99fc9dc8ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/80mitrex_refsource_MISC
- www.npmjs.com/advisories/80ghsaWEB
News mentions
0No linked articles in our index yet.