Server-Side Request Forgery (SSRF) Vulnerability in google-translate-api-browser
Description
google-translate-api-browser is an npm package which interfaces with the google translate web api. A Server-Side Request Forgery (SSRF) Vulnerability is present in applications utilizing the google-translate-api-browser package and exposing the translateOptions to the end user. An attacker can set a malicious tld, causing the application to return unsafe URLs pointing towards local resources. The translateOptions.tld field is not properly sanitized before being placed in the Google translate URL. This can allow an attacker with control over the translateOptions to set the tld to a payload such as @127.0.0.1. This causes the full URL to become https://translate.google.@127.0.0.1/..., where translate.google. is the username used to connect to localhost. An attacker can send requests within internal networks and the local host. Should any HTTPS application be present on the internal network with a vulnerability exploitable via a GET call, then it would be possible to exploit this using this vulnerability. This issue has been addressed in release version 4.1.3. Users are advised to upgrade. There are no known workarounds for this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2023-48711: SSRF in google-translate-api-browser via unsanitized tld field in translateOptions allows local/private network requests.
CVE-2023-48711 is a Server-Side Request Forgery (SSRF) vulnerability in the google-translate-api-browser npm package, which interfaces with the Google Translate web API. The root cause is the lack of sanitization of the translateOptions.tld field before it is incorporated into the Google Translate URL [1][2]. This allows an attacker with control over the translateOptions parameter to inject a malicious value, such as @127.0.0.1, causing the URL to become https://translate.google.@127.0.0.1/... where translate.google. is treated as a username, effectively directing the request to localhost [2].
Exploitation
Exploitation requires an application that uses the package and exposes the translateOptions to end users, for example by allowing user-supplied JSON to define the tld field [2]. An attacker can send a crafted request with a malicious tld, like @127.0.0.1 or similar targeting an internal host [2]. The server then makes a request to that internal resource, as demonstrated in the advisory's proof-of-concept [2]. No authentication is needed beyond the ability to influence the translateOptions parameter.
Impact
A successful attack allows the attacker to force the server to make HTTPS GET requests to arbitrary internal hosts and the local machine [1][2]. If any HTTPS-enabled service inside the network has a vulnerability that can be triggered via a GET request, it could be exploited via this SSRF. The attacker can potentially access internal APIs, cloud metadata endpoints, or other sensitive resources [1][2].
Mitigation
The vulnerability is patched in version 4.1.3 of google-translate-api-browser [1][3]. The fix adds validation for the tld field, as shown in the commit that adds a createRequestBody helper and presumably sanitizes the URL [4]. Users are advised to upgrade immediately; no workarounds are available [1][2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
google-translate-api-browsernpm | < 4.1.0 | 4.1.0 |
Affected products
3- Range: <4.1.3
- cjvnjde/google-translate-api-browserv5Range: < 4.1.3
Patches
133c2eac4a21cAdd tld validation
4 files changed · +17 −8
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "google-translate-api-browser", - "version": "4.1.1", + "version": "4.1.3", "description": "A free and unlimited API for Google Translate that works in browser", "repository": { "type": "git",
src/generateRequestUrl.ts+8 −0 modified@@ -1,9 +1,17 @@ import { defaultTranslateOptions } from "./defaultTranslateOptions"; import { TranslateOptions } from "./TranslateOptions"; +function validateTLD(tld: string) { + return Boolean(tld.match(/^[a-zA-Z]{2,63}$/)); +} + export function generateRequestUrl(options: Partial<Omit<TranslateOptions, 'raw'>> = {}): string { const translateOptions = { ...defaultTranslateOptions, ...options }; + if (!validateTLD(translateOptions.tld)) { + throw new Error("Invalid TLD: Must be 2-63 letters only") + } + const queryParams = { rpcids: translateOptions.rpcids, 'source-path': '/',
src/normaliseResponse.ts+1 −1 modified@@ -29,7 +29,7 @@ export function normaliseResponse(rawBody: string, raw = false): TranslationResu } if (!data) { - throw new Error('No data') + throw new Error('Data is either empty or corrupted') } const result: TranslationResult = {
src/translate.server.ts+7 −6 modified@@ -4,13 +4,16 @@ import { TranslateOptions } from "./TranslateOptions"; import { normaliseResponse, TranslationResult } from "./normaliseResponse"; import * as https from 'node:https'; +export function createRequestBody(text: string, translateOptions: Pick<TranslateOptions, "to" | "from" | "rpcids">) { + const encodedData = encodeURIComponent(`[[["${translateOptions.rpcids}","[[\\"${text}\\",\\"${translateOptions.from}\\",\\"${translateOptions.to}\\",true],[1]]",null,"generic"]]]`); + return `f.req=${encodedData}&`; +} + export function translate(text: string, options: Partial<TranslateOptions> = {}): Promise<TranslationResult> { const translateOptions = { ...defaultTranslateOptions, ...options }; return new Promise((resolve, reject) => { - const encodedData = encodeURIComponent(`[[["${translateOptions.rpcids}","[[\\"${text}\\",\\"${translateOptions.from}\\",\\"${translateOptions.to}\\",true],[1]]",null,"generic"]]]`); - const body = `f.req=${encodedData}&`; - + const body = createRequestBody(text, translateOptions); const url = generateRequestUrl(translateOptions); const req = https.request(url, { @@ -29,9 +32,7 @@ export function translate(text: string, options: Partial<TranslateOptions> = {}) resp.on('end', () => { resolve(normaliseResponse(data)) }); - }).on('error', (err) => { - reject(err) - }) + }).on('error', reject); req.write(body); req.end();
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-4233-7q5q-m7p6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-48711ghsaADVISORY
- github.com/cjvnjde/google-translate-api-browser/commit/33c2eac4a21c6504409e7b06dd16e6346f93d34bghsax_refsource_MISCWEB
- github.com/cjvnjde/google-translate-api-browser/security/advisories/GHSA-4233-7q5q-m7p6ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.