You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative // or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.
Patches
The problem has been patched, please update to next-intl@4.9.1.
Credits
Many thanks to Joni Liljeblad from Oura for responsibly disclosing the vulnerability and for suggesting the fix.
setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys __proto__, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true, a JSON translation catalog containing a top‑level __proto__ key causes setNestedProperty(result, '__proto__.isAdmin', compiledMessage) to assign onto Object.prototype, polluting every object in the running build process.
Details
Root cause — packages/next-intl/src/extractor/utils.tsx:13-34:
The existence check !(key in current) uses the in operator, which walks the prototype chain. For key === '__proto__', '__proto__' in {} is true (it's inherited from Object.prototype) and typeof current['__proto__'] === 'object' (it isObject.prototype). The guard therefore never re-initializes current[key], and current = current['__proto__'] redirects all subsequent writes onto Object.prototype. The final assignment current[keys[keys.length-1]] = value sets Object.prototype[<attacker key>] = <attacker value>.
Build-time data flow:
packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83 — the webpack/turbopack loader receives the catalog file source and, if options.messages.precompile is enabled, calls codec.decode(source, {locale}).
packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18 — decode runs JSON.parse(source). V8 installs __proto__ as an own data property on the result when the JSON key is literally "__proto__" (bypassing the normal Object.prototype.__proto__ setter that would otherwise reassign the prototype).
JSONCodec.tsx:33-53 — traverseMessages iterates Object.keys(obj), which for a JSON‑parsed object includes the own __proto__ key. It reads obj.__proto__ (returns the attacker’s nested object, not Object.prototype, because it's an own property), recurses into it, and emits message id __proto__.isAdmin.
catalogLoader.tsx:89-131 — for each message, calls setNestedProperty(result, message.id, compiledMessage). With message.id === '__proto__.isAdmin', setNestedProperty walks into Object.prototype and assigns Object.prototype.isAdmin = compiledMessage.
The same sink is also reachable via JSONCodec.encode (JSONCodec.tsx:20-26) and POCodec (packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87) during extraction, both of which feed attacker-influenced message.id values into setNestedProperty — but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.
After pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl’s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like if (obj.someFlag) or options[key] ?? default that are sensitive to polluted prototypes.
Trust boundary note: next-intl’s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages — any of which can carry a crafted __proto__ key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.
PoC
Prerequisites: a Next.js project using next-intl ≤ 4.9.1 with the Next.js plugin configured:
After the loader runs, ({}).isAdmin === 'polluted' for the remainder of the build Node process.
Impact
Object.prototype is polluted for the lifetime of the build‑time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl’s own codecs, user plugins).
Classic CWE-1321 gadget-chain precondition: downstream tools that branch on obj.someFlag, options[key] ?? default, if (!config.noX), etc. can be coerced into unintended behavior, including emitting tampered bundles.
Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages — all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.
Exploitation requires the user to opt in to the experimental.messages + precompile configuration. Users who do not use the extractor/precompile features are not affected.
Recommended Fix
Reject reserved keys in setNestedProperty and stop using the in operator for the existence check. A minimal patch to packages/next-intl/src/extractor/utils.tsx:
constFORBIDDEN_KEYS=newSet(['__proto__','constructor','prototype']);exportfunctionsetNestedProperty(obj: Record<string,any>,keyPath: string,value: any): void{constkeys=keyPath.split('.');for(constkeyofkeys){if(FORBIDDEN_KEYS.has(key)){thrownewError(`Invalid message id segment: ${key}`);}}letcurrent=obj;for(leti=0;i<keys.length-1;i++){constkey=keys[i];if(!Object.prototype.hasOwnProperty.call(current,key)||typeofcurrent[key]!=='object'||current[key]===null){current[key]=Object.create(null);}current=current[key];}current[keys[keys.length-1]]=value;}
Additionally:
In packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx, make traverseMessages skip reserved keys (or switch to Object.create(null) + Object.hasOwn semantics) so that a malicious catalog is rejected early with a clear error rather than producing __proto__.* message ids.
In packages/next-intl/src/plugin/catalog/catalogLoader.tsx, initialize precompileMessages’s result with Object.create(null) as defense in depth, so even if a key slipped through it could not redirect through Object.prototype.
Handle inconsistency in Next.js when using usePathname with custom prefixes, localePrefix: 'as-needed' and static rendering (#1573) (20fd0f0) – by @amannn
Handle optional catch-all segments in navigation APIs if no value is provided and handle the case if a dynamic value appears multiple times in a pathname (#1259) (58ef482), closes #1236 – by @amannn
Fix open redirect vulnerability for localePrefix: 'as-necessary' by sanitizing pathname in the middleware (#1208) (f42ac01), closes #1207 – by @hblee12294
Apply useMemo for useRouter returned from createLocalizedPathnamesNavigation to keep a stable reference when possible (#1201) (a1b9a36), closes #1198 – by @amannn
Prefer more specific routes in usePathname when detecting the currently active pathname for localized pathnames (#1152) (936839e), closes #1151 – by @amannn
renovateBot
changed the title
fix(deps): update dependency next-intl to v4 [security]
fix(deps): update dependency next-intl to v4 [security] - autoclosed
May 10, 2026
renovateBot
changed the title
fix(deps): update dependency next-intl to v4 [security] - autoclosed
fix(deps): update dependency next-intl to v4 [security]
May 12, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
3.0.0-beta.19→4.9.2next-intl has an open redirect vulnerability
CVE-2026-40299 / GHSA-8f24-v5vv-gm5j
More information
Details
Impact
Applications using the
next-intlmiddleware withlocalePrefix: 'as-needed'could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative//or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.Patches
The problem has been patched, please update to
next-intl@4.9.1.Credits
Many thanks to Joni Liljeblad from Oura for responsibly disclosing the vulnerability and for suggesting the fix.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:NReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
next-intl has prototype pollution with
experimental.messages.precompilevia attacker-controlled translation catalog keysGHSA-4c35-wcg5-mm9h
More information
Details
Summary
setNestedPropertyinpackages/next-intl/src/extractor/utils.tsxwalks a dotted key path and assigns the final value without blocking the reserved keys__proto__,constructor, orprototype. When the next-intl Next.js plugin is configured withexperimental.messagesandmessages.precompile: true, a JSON translation catalog containing a top‑level__proto__key causessetNestedProperty(result, '__proto__.isAdmin', compiledMessage)to assign ontoObject.prototype, polluting every object in the running build process.Details
Root cause —
packages/next-intl/src/extractor/utils.tsx:13-34:The existence check
!(key in current)uses theinoperator, which walks the prototype chain. Forkey === '__proto__','__proto__' in {}istrue(it's inherited fromObject.prototype) andtypeof current['__proto__'] === 'object'(it isObject.prototype). The guard therefore never re-initializescurrent[key], andcurrent = current['__proto__']redirects all subsequent writes ontoObject.prototype. The final assignmentcurrent[keys[keys.length-1]] = valuesetsObject.prototype[<attacker key>] = <attacker value>.Build-time data flow:
packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83— the webpack/turbopack loader receives the catalog filesourceand, ifoptions.messages.precompileis enabled, callscodec.decode(source, {locale}).packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18—decoderunsJSON.parse(source). V8 installs__proto__as an own data property on the result when the JSON key is literally"__proto__"(bypassing the normalObject.prototype.__proto__setter that would otherwise reassign the prototype).JSONCodec.tsx:33-53—traverseMessagesiteratesObject.keys(obj), which for a JSON‑parsed object includes the own__proto__key. It readsobj.__proto__(returns the attacker’s nested object, notObject.prototype, because it's an own property), recurses into it, and emits message id__proto__.isAdmin.catalogLoader.tsx:71—precompileMessages(decoded, cache).catalogLoader.tsx:89-131— for each message, callssetNestedProperty(result, message.id, compiledMessage). Withmessage.id === '__proto__.isAdmin',setNestedPropertywalks intoObject.prototypeand assignsObject.prototype.isAdmin = compiledMessage.The same sink is also reachable via
JSONCodec.encode(JSONCodec.tsx:20-26) andPOCodec(packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87) during extraction, both of which feed attacker-influencedmessage.idvalues intosetNestedProperty— but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.After pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl’s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like
if (obj.someFlag)oroptions[key] ?? defaultthat are sensitive to polluted prototypes.Trust boundary note: next-intl’s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages — any of which can carry a crafted
__proto__key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.PoC
Prerequisites: a Next.js project using next-intl ≤ 4.9.1 with the Next.js plugin configured:
Drop a malicious catalog at
messages/en.json:{ "Greeting": "Hello", "__proto__": { "isAdmin": "polluted" } }Run
next build(ornext dev). ThecatalogLoaderwill invokeJSONCodec.decode→traverseMessages→precompileMessages→setNestedProperty.Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):
Output:
PWNED.Full chain reproduction (also verified):
After the loader runs,
({}).isAdmin === 'polluted'for the remainder of the build Node process.Impact
Object.prototypeis polluted for the lifetime of the build‑time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl’s own codecs, user plugins).obj.someFlag,options[key] ?? default,if (!config.noX), etc. can be coerced into unintended behavior, including emitting tampered bundles.experimental.messages+precompileconfiguration. Users who do not use the extractor/precompile features are not affected.Recommended Fix
Reject reserved keys in
setNestedPropertyand stop using theinoperator for the existence check. A minimal patch topackages/next-intl/src/extractor/utils.tsx:Additionally:
packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx, maketraverseMessagesskip reserved keys (or switch toObject.create(null)+Object.hasOwnsemantics) so that a malicious catalog is rejected early with a clear error rather than producing__proto__.*message ids.packages/next-intl/src/plugin/catalog/catalogLoader.tsx, initializeprecompileMessages’sresultwithObject.create(null)as defense in depth, so even if a key slipped through it could not redirect throughObject.prototype.Severity
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:LReferences
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
amannn/next-intl (next-intl)
v4.9.2Compare Source
Bug Fixes
precompile: true(#2307) (c0bf0ee) – by @amannnv4.9.1Compare Source
Bug Fixes
v4.9.0Compare Source
Features
transitionTypesonLink(#2302) (02811f5) – by @amannnv4.8.4Compare Source
Bug Fixes
v4.8.3Compare Source
Bug Fixes
@formatjs/intl-localematcher(#2265) (196f1f3) – by @amannnv4.8.2Compare Source
Bug Fixes
next.config.ts(#2245) (f57800e) – by @amannnv4.8.1Compare Source
Bug Fixes
precompilealias on Windows (#2237) (8e7151a) – by @amannnv4.8.0Compare Source
Features
v4.7.0Compare Source
Features
useExtracted(#2200) (ebc5e43) – by @amannnv4.6.1Compare Source
Bug Fixes
useExtracted(#2176) (3937e44) – by @amannnv4.6.0Compare Source
Features
useExtracted, consistency fixes for file references, pruning of messages and sorting of keys (#2155) (c02818e) – by @amannnv4.5.8Compare Source
Bug Fixes
useExtracted(#2152) (9b7c9fe) – by @amannnv4.5.7Compare Source
Bug Fixes
accept-languageparsing when locale cookie is already present (#2143) (0d1331b), closes #2116 – by @lxupv4.5.6Compare Source
Bug Fixes
useExtracted(#2133) (5397c49) – by @amannnv4.5.5Compare Source
Bug Fixes
node_modules(#2120) (0ba9105) – by @amannnv4.5.4Compare Source
Bug Fixes
useExtractedto SWC plugin & handle source maps (#2114) (e63fbc5) – by @amannnv4.5.3Compare Source
Bug Fixes
useExtractedpt. 2 (#2103) (5cbd5da) – by @amannnv4.5.2Compare Source
Bug Fixes
useExtracted(#2099) (b1ff1fa) – by @amannnv4.5.1Compare Source
Bug Fixes
v4.5.0Compare Source
Features
useExtracted(experimental) (#2080) (7a85644) – by @amannnv4.4.0Compare Source
Features
v4.3.12Compare Source
Bug Fixes
getTimeZone(#2053) (bdc2af4), closes #2052 – by @amannnv4.3.11Compare Source
Bug Fixes
NextResponse.rewriteif really necessary (#2051) (43ed4aa) – by @amannnv4.3.10Compare Source
Bug Fixes
@types/reactversion (#2050) (c1e997e), closes #2044 #2044 – by @amannnv4.3.9Compare Source
Bug Fixes
useRouterto another locale (#2021) (c82d0af), closes #2020 – by @amannnv4.3.8Compare Source
Bug Fixes
v4.3.7Compare Source
Bug Fixes
usePathnameinconsistency in Next.js leading to a hydration error with custom prefixes,localePrefix: 'always'and static rendering (#2012) (bc9cb62), closes #2011 vercel/next.js#73085 #1571 – by @hugotigerv4.3.6Compare Source
Bug Fixes
next devfor upcomingnext@15.5.1(#2008) (2bf09ec) – by @amannnv4.3.5Compare Source
Bug Fixes
next {start,info,telemetry}(#1992) (fd0722a) – by @amannnv4.3.4Compare Source
Bug Fixes
'{name'}) (#1950) (4d418f4), closes #1948 – by @amannnv4.3.3Compare Source
Bug Fixes
v4.3.2Compare Source
Bug Fixes
useRouter(#1947) (3ee9c4d) – by @amannnv4.3.1Compare Source
Bug Fixes
getTimeZone(#2053) (bdc2af4), closes #2052 – by @amannnv4.3.0Compare Source
Features
numberinterpolation withuseTranslations(#1929) (a893330), closes #1928 – by @sgleisnerv4.2.0Compare Source
Features
v4.1.0Compare Source
Features
forcePrefixoption forredirectandgetPathname(#1865) (5905976) – by @amannnv4.0.3Compare Source
Features
--turbo(requiresnext@^14.0.3) (#641) (46c6ec7), closes #2503.0.3 (2023-11-15)
Bug Fixes
locale,nowandtimeZoneif these options have been provided toNextIntlClientProvider(#633) (824363a), closes #6313.0.2 (2023-11-15)
Bug Fixes
getTranslations({namespace})without TypeScript integration for messages (#630) (62cf29c), closes #6253.0.1 (2023-11-14)
Add provenance statement to published packages.
v4.0.2Compare Source
Bug Fixes
IntlErrorCodein user code (#1788) (913d307), closes #1787 – by @amannnv4.0.1Compare Source
Bug Fixes
moduleResolution: 'node'(#1785) (b7a4a83), closes /github.com/amannn/next-intl/discussions/1631#discussioncomment-12477848 – by @amannnv4.0.0Compare Source
See the announcement.
(#1412) (172656f) – by @amannn
v3.26.5Compare Source
Bug Fixes
queryin<Link />correctly when usinglocalePrefix: 'as-needed'withdomains(#1732) (ec8776e), closes #1731 – by @amannnv3.26.4Compare Source
Bug Fixes
v3.26.3Compare Source
Bug Fixes
next-intl@4.0(#1485) (1d60d08) – by @amannnv3.26.2Compare Source
Bug Fixes
t.haswhengetTranslationsis called with an object argument (#1616) (64895a2), closes /github.com/amannn/next-intl/discussions/437#discussioncomment-11593318 – by @amannnv3.26.1Compare Source
Bug Fixes
next-intl.devin links (#1601) (40a9a77) – by @amannnv3.26.0Compare Source
Features
v3.25.3Compare Source
Bug Fixes
v3.25.2Compare Source
Bug Fixes
usePathnamewith custom prefixes,localePrefix: 'as-needed'and static rendering (#1573) (20fd0f0) – by @amannnv3.25.1Compare Source
Bug Fixes
trailingSlash: true(#1537) (03a4620) – by @deiniv3.25.0Compare Source
Features
declaration: trueintsconfig.json(#1509) (6b2ca9c) – by @osatonv3.24.0Compare Source
Features
v3.23.5Compare Source
Bug Fixes
prefetch={true}on<Link />(#1463) (fd6d73d), closes #1462 – by @amannnv3.23.4Compare Source
Bug Fixes
negotiator@^1.0(#1460) (b93f297) – by @amannnv3.23.3Compare Source
Bug Fixes
i18n/request.tsinreact-serverlike all other APIs do (#1459) (8c6d5ff) – by @amannnv3.23.2Compare Source
Bug Fixes
<Link />fromcreateNavigation(#1448) (ba0a537) – by @amannnv3.23.1Compare Source
Bug Fixes
ReactNodeArraywhich is removed in React 19 (#1445) (2396345) – by @amannnv3.23.0Compare Source
Features
v3.22.0Compare Source
Features
createNavigation(#1316)requestLocaleparam to getRequestConfig for Next.js 15 support (#1383)localeCookieoption for middleware (#1414)setRequestLocale(#1437)Fixes
domains, handle unknown domains more gracefully (#1389)Deprecations
defaultTranslationValues(#1411)unstable_setRequestLocale(#1437)v3.21.1Compare Source
Bug Fixes
v3.20.0Compare Source
Features
formats(#1346) (b7aa14e) – by @dBianchiiv3.19.5Compare Source
Bug Fixes
Formatstype optional for easier usage (#1367) (a7cbd9b) – by @amannnv3.19.4Compare Source
Bug Fixes
v3.19.3Compare Source
Bug Fixes
v3.19.2Compare Source
Bug Fixes
v3.19.1Compare Source
Bug Fixes
v3.19.0Compare Source
Features
./i18n/request.tsin addition to./i18n.ts(#1308) (258e95e) – by @amannnv3.18.1Compare Source
Bug Fixes
localeis read ingetRequestConfigand also none is returned (#1305) (2f0f781) – by @amannnv3.18.0Compare Source
Features
defineRoutingfor easier i18n routing setup (#1299) (5ff6120) – by @amannnv3.17.6Compare Source
Bug Fixes
v3.17.5Compare Source
Bug Fixes
useTranslationsis only used in Server Components (#1279) (9f1725c) – by @amannnv3.17.4Compare Source
Bug Fixes
@formatjs/intl-localematcherto latest version (#1140) (c217582) – by @amannnv3.17.3Compare Source
Bug Fixes
v3.17.2Compare Source
Bug Fixes
localePrefix: 'as-necessary'by sanitizing pathname in the middleware (#1208) (f42ac01), closes #1207 – by @hblee12294v3.17.1Compare Source
Bug Fixes
useMemoforuseRouterreturned fromcreateLocalizedPathnamesNavigationto keep a stable reference when possible (#1201) (a1b9a36), closes #1198 – by @amannnv3.17.0Compare Source
Features
Intl.*constructors (#1193) (52c4f2c), closes #215 – by @amannnv3.16.0Compare Source
Features
trailingSlash: truein Next.js config (#1190) (cfbdee9) – by @amannnv3.15.5Compare Source
Bug Fixes
redirect(#1178) (3b698d7), closes #1177 – by @amannnv3.15.4Compare Source
Bug Fixes
DomainsConfig(#1175) (c4d1bb0) – by @amannnv3.15.3Compare Source
Bug Fixes
usePathnamewhen detecting the currently active pathname for localized pathnames (#1152) (936839e), closes #1151 – by @amannnv3.15.2Compare Source
Note: Version bump only for package root
v3.15.1Compare Source
Bug Fixes
@formatjs/ecma402-abstractdependency iConfiguration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.