CVE-2026-41683
i18next-http-middleware: HTTP response splitting and DoS via unsanitised Content-Language header
Description
### Summary Versions of `i18next-http-middleware` prior to 3.9.3 wrote user-controlled language values into the `Content-Language` response header after passing them through `utils.escape()`, which is an HTML-entity encoder that does not strip carriage return, line feed, or other control characters. When the application used an older `i18next` (< 19.5.0) that still exercised the backward-compatibility fallback at `LanguageDetector.js:100` or otherwise produced a raw detected value, CRLF sequences in the attacker-controlled `lng` parameter reached `res.setHeader('Content-Language', ...)` verbatim. ### Impact Two concrete outcomes depending on the Node.js version: - **Node.js < 14.6.0 — HTTP response splitting.** An attacker crafting a request like `GET /?lng=en%0d%0aX-Injected%3A+malicious` could inject arbitrary additional HTTP response headers, enabling: - Session fixation via an injected `Set-Cookie` - Cache poisoning (injecting `Location`, `Content-Type`, etc.) - Reflected XSS in controlled response bodies - **Node.js ≥ 14.6.0 — denial of service.** `res.setHeader()` throws `ERR_INVALID_CHAR` when the value contains CRLF. Because the middleware did not catch this error, it propagated as an unhandled exception, returning a 500 response to **all concurrent users sharing that process** (in worker-pool deployments this can knock out a full server instance). The same header-setting code path fires inside the `languageChanged` event listener and again in the main middleware flow, so the flaw was triggered at least twice per affected request. ### Related (same release) Version 3.9.3 also tightens the `hasXSS()` regex that was designed as a secondary filter on detected language values. The previous pattern `/<\s*\w+\s*on\w+\s*=.*?>/i` only matched event handlers in the **first** attribute position, so payloads like `<input autofocus onfocus=alert(1)>` bypassed the filter. Applications that rendered `res.locals.language` into HTML with a context-unsafe templating mode (EJS `<%- %>`, Pug `!{…}`, Handlebars `{{{…}}}`) could be XSSed despite the filter being in place. This bypass is noted here because it is fixed in the same release, but the primary vulnerability reported in this advisory is the CRLF/header-injection path above. ### Affected versions `< 3.9.3`. ### Patch Fixed in **3.9.3**. The patch introduces `utils.sanitizeHeaderValue(str)` which strips `\r`, `\n`, and other C0/C1 control characters, and replaces both `utils.escape(lng)` call sites in `lib/index.js` with it. The `hasXSS()` regex has also been tightened to match event-handler attributes at any position. ### Workarounds No workaround short of upgrading. Front-proxying the middleware with a WAF rule that rejects `\r`/`\n` in query parameters, cookies, and path segments is a partial mitigation. ### Credits Discovered via an internal security audit of the i18next ecosystem.