Affected versions of `i18next` allow untrusted user input to be injected into dictionary key names, resulting in a cross-site scripting vulnerability.

## Proof of Concept
```js
var init = i18n.init({debug: true}, function(){
var test = i18n.t('__firstName__ __lastName__', {
escapeInterpolation: true,
firstName: '__lastNameHTML__',
lastName: '<script>',
});
console.log(test);
});
// equals "<script> <script>"
```

## Recommendation

Update to version 1.10.3 or later.

Affected Packages

npm i18next

Affected versions: 0 (fixed in 1.10.3)

Related CVEs

CVE-2017-16008

Key Information

GHSA ID

GHSA-f89g-whpf-6q9m

Published

November 9, 2018 5:46 PM

Last Modified

September 8, 2023 11:59 PM

CVSS Score

5.0 /10

Primary Ecosystem

npm

Primary Package

i18next

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 31, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.