logo

Database

Uncontrolled external site redirect In next-intl

Description

next-intl has an open redirect vulnerability

Impact

Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative // or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.

Patches

The problem has been patched, please update to [email protected].

Credits

Many thanks to Joni Liljeblad from Oura for responsibly disclosing the vulnerability and for suggesting the fix.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-402992. NVD-2026-402993. OSV-2026-402994. GHSA-8f24-v5vv-gm5j5. GCVE-2026-40299

References

1. https://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j2. https://github.com/amannn/next-intl/pull/23043. https://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e64. https://github.com/amannn/next-intl/releases/tag/v4.9.1

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.