Critical Prototype Pollution Vulnerability Exposed in i18n t() Function

A critical security flaw has been identified in the `t()` function within the `lib/i18n/context.tsx` file. The vulnerability stems from the use of the `k in value` check, which searches the entire prototype chain of the translation object. This design allows malicious keys—such as `__proto__`, `constructor`, or `hasOwnProperty`—to be processed. Attackers exploiting this could potentially leak internal function source code or trigger unexpected and hazardous behavior within the application. The vulnerability is present in both the primary and fallback traversal loops on lines 51 and 58, creating two distinct attack vectors.

The issue is classified as a prototype pollution vulnerability, a type of injection attack that can modify the behavior of JavaScript objects at their most fundamental level. The affected `t()` function is a core component for internationalization (i18n), meaning it is likely deeply integrated and frequently called throughout the application. The suggested remediation is a multi-layered fix: first, replace the vulnerable `k in value` checks with `Object.hasOwn(value, k)` to ensure only the object's own properties are accessed. Second, implement a key validation regex (`/^[a-zA-Z0-9_.-]+$/`) at the function's entry point to filter out dangerous key patterns. Invalid keys should be logged with a `console.warn` and returned unchanged to maintain functionality while alerting developers.

This vulnerability is flagged with the highest priority. Prototype pollution is not merely a data corruption issue; in certain environments and when chained with other flaws, it can escalate to remote code execution. The discovery necessitates immediate scrutiny of all code paths that feed data into the i18n system and a prompt deployment of the fix to mitigate the risk of exploitation. The presence of this flaw in a utility function underscores the broader security pressure on foundational libraries to adopt strict property access controls.