Description
next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `next-intl@4.9.1`.
Published: 2026-04-17
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Open Redirect
Action: Patch
AI Analysis

Impact

The vulnerability in the next‑intl middleware allows an attacker to influence the redirect target processed by the browser. By manipulating a relative redirect in an application using the middleware with localePrefix set to "as-needed", the WHATWG URL parser resolves the target to another host. This leads to the browser being sent to an off‑site domain while the user believes the navigation originates from a trusted application URL. The weakness is a classic open‑redirect flaw (CWE‑601). The impact is the potential for phishing, credential theft, or malicious site visits without user awareness.

Affected Systems

The affected product is amannn's next‑intl, a package used for internationalization in Next.js applications. Systems that employ a version prior to 4.9.1 of next‑intl and have the localePrefix configuration set to "as-needed" are vulnerable. Versions 4.9.1 and newer contain the fix.

Risk and Exploitability

The vulnerability has a CVSS score of 6.9, indicating a moderate severity. The EPSS score is less than 1%, indicating low but non‑zero likelihood of exploitation, but the lack of a KEV listing suggests no widespread exploitation has been reported yet. However, open redirects are widely leveraged in phishing campaigns, so the risk remains non‑negligible. The attack vector is largely user‑initiated through navigation to a crafted link generated by the application.

Generated by OpenCVE AI on April 18, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade next‑intl to version 4.9.1 or later
  • Reconfigure the application to avoid using localePrefix 'as-needed' unless absolutely necessary
  • Implement strict validation of redirect targets to allow only trusted hosts

Generated by OpenCVE AI on April 18, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8f24-v5vv-gm5j next-intl has an open redirect vulnerability
History

Mon, 20 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
First Time appeared Amannn
Amannn next-intl
Vendors & Products Amannn
Amannn next-intl

Mon, 20 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

threat_severity

Low

Fri, 17 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Description next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `next-intl@4.9.1`.
Title next-intl has an open redirect vulnerability
Weaknesses CWE-601
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Amannn Next-intl
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T15:58:51.149Z

Reserved: 2026-04-10T20:22:44.035Z

Link: CVE-2026-40299

cve-icon Vulnrichment

Updated: 2026-04-20T15:56:13.622Z

cve-icon NVD

Status : Deferred

Published: 2026-04-17T21:16:34.707

Modified: 2026-04-29T21:04:10.060

Link: CVE-2026-40299

cve-icon Redhat

Severity : Low

Publid Date: 2026-04-17T20:49:05Z

Links: CVE-2026-40299 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T14:59:37Z

Weaknesses