CVE-2017-16010
Description
Missing default escapeValue in i18next interpolation options leads to XSS because user input is not escaped as expected.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing default escapeValue in i18next interpolation options leads to XSS because user input is not escaped as expected.
Vulnerability
The i18next library (versions 2.0.0 through 3.4.3) fails to properly default the escapeValue option when the .init method is called with interpolation options but without explicitly providing escapeValue. The documentation and developer expectation is that escapeValue defaults to true, ensuring user-supplied interpolation values are HTML-escaped. However, because of a code path in the Interpolator, passing any interpolation options (e.g., only prefix and suffix) causes escapeValue to be set to undefined rather than true. This results in user input being inserted unescaped into the output, creating a cross-site scripting (XSS) vulnerability [1][2][3].
Exploitation
An attacker with the ability to control any value passed as interpolation variables (e.g., firstName, lastName in a translation call) can inject arbitrary HTML and JavaScript. The victim application must be using i18next with the .init method and passing an interpolation object that does not include escapeValue. When the application subsequently calls i18n.t with attacker-controlled data, the output will contain the raw, unescaped payload. No authentication or special network position is required beyond the ability to supply the malicious variable string (e.g., via user input that gets passed to the translation function) [2].
Impact
Successful exploitation allows an attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to theft of cookies, session tokens, or other sensitive data, defacement, or further attacks against the application's users. The impact is a classic cross-site scripting vulnerability, with full compromise of the confidentiality and integrity of the victim's interaction with the affected page [1][2].
Mitigation
Users should upgrade to i18next version 3.4.4 or later, which fixes the issue by ensuring escapeValue defaults to true when interpolation options are provided [2][3]. For versions that cannot be updated, ensure that escapeValue: true is explicitly passed within the interpolation options when calling .init as a workaround [2]. No other known workarounds exist; older affected versions (>=2.0.0, <3.4.4) remain vulnerable.
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
i18nextnpm | >= 2.0.0, < 3.4.4 | 3.4.4 |
Affected products
2- HackerOne/i18next node modulev5Range: >=2.0.0 <=3.4.3
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing default value for escapeValue in interpolation options causes user input to be rendered unescaped."
Attack vector
An attacker who can control the values passed to translation variables (e.g., `firstName`, `lastName` in the `t()` call) can inject arbitrary HTML or JavaScript. The application developer must have initialized i18next with an `interpolation` block that omits `escapeValue: true`. When the library then interpolates the attacker-controlled value into a translated string, the value is not escaped, leading to reflected cross-site scripting [CWE-79][ref_id=1].
Affected code
The vulnerability is in the i18next JavaScript library, specifically in the `.init()` method's handling of the `interpolation` configuration object. When `escapeValue` is not explicitly passed within the `interpolation` options, it defaults to `undefined` rather than the expected `true`, causing user-supplied translation values to be rendered without HTML escaping [ref_id=1].
What the fix does
The advisory recommends updating to i18next version 3.4.4 or later [ref_id=1]. No patch diff is provided in the bundle, but the fix ensures that when `escapeValue` is not explicitly set in the `interpolation` options, the library defaults it to `true` instead of `undefined`, thereby maintaining the expected escaping behavior for all user-supplied translation values.
Preconditions
- configThe application uses i18next version >= 2.0.0 and < 3.4.4
- configThe application calls .init() with an interpolation configuration that does not include escapeValue: true
- inputAn attacker can control the values passed as interpolation variables to the t() function
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-cmh5-qc8w-xvcqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2017-16010ghsaADVISORY
- github.com/i18next/i18next/pull/826ghsax_refsource_MISCWEB
- nodesecurity.io/advisories/326mitrex_refsource_MISC
- www.npmjs.com/advisories/326ghsaWEB
News mentions
0No linked articles in our index yet.