i18next-http-middleware ≤ 3.9.6: Remote prototype pollution via missingKeyHandler

i18next-http-middleware ≤ 3.9.6 blocked literal request-body keys __proto__, constructor, and prototype but did not reject dotted variants like __proto__.polluted, allowing remote prototype pollution when used with i18next-fs-backend ≤ 2.6.5. Fixed in 3.9.7 with a new hasUnsafeKeySegment helper.

Applications that expose missingKeyHandler to untrusted input AND use i18next-fs-backend ≤ 2.6.5. Other downstream backends that split the missing-key string similarly may also be affected.

Upgrade i18next-http-middleware to 3.9.7 or later. If unable to upgrade, do not expose missingKeyHandler to untrusted users, add a request-body filter rejecting keys containing __proto__, constructor, or prototype after splitting on keySeparator, or disable missing-key persistence (saveMissing: false).