CVE-2017-16008

Vulnerability

i18next versions <=1.10.2 are vulnerable to cross-site scripting (XSS) due to a flaw in the interpolation implementation. The code performs replacements from the dictionary sequentially, one key at a time. This allows untrusted input that contains the name of another dictionary key (e.g., __lastName__) to be unexpectedly substituted, potentially bypassing escaping mechanisms. The affected versions are i18next 1.10.2 and earlier. [1][2][3]

Exploitation

An attacker can provide crafted user input that includes a reference to a dictionary key, such as __lastNameHTML__. When i18next processes this input, the sequential replacement can cause the input to be replaced with the value of that key, which may include unescaped HTML. Even with escapeInterpolation: true, the attacker can trigger XSS by using a key that outputs raw HTML. For example, a dictionary with keys firstName: '__lastNameHTML__' and lastName: '' results in the script tag being injected. The attacker needs to control the input passed to the translation function. [3]

Impact

Successful exploitation allows an attacker to inject arbitrary JavaScript into the browser, leading to cross-site scripting (XSS). This can be used to steal session cookies, deface pages, or perform actions on behalf of the victim. [1][2]

Mitigation

Upgrade to i18next version 1.10.3 or later, which fixes the vulnerability by performing all replacements simultaneously, preventing untrusted input from causing unexpected interpolations. The fix was released on November 9, 2018. No workarounds are documented. [2][3]