CVE-2026-40299
Open Redirect Vulnerability in next-intl Middleware Prior to
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| next-intl | next-intl | to 4.9.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-601 | The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in the next-intl middleware for Next.js applications prior to version 4.9.1 when using the configuration option localePrefix set to 'as-needed'.
In this scenario, the middleware could construct URLs where the path handling and the WHATWG URL parser would resolve a relative redirect target to a different host. This could happen due to scheme-relative URLs (e.g., URLs starting with //) or control characters being stripped by the URL parser.
As a result, the middleware might redirect a user from a trusted application URL to an off-site location without the user's intention.
This issue was fixed in next-intl version 4.9.1.
How can this vulnerability impact me? :
This vulnerability can impact you by allowing an attacker to redirect users from a trusted application URL to an external, potentially malicious website.
Such off-site redirects can be exploited for phishing attacks, where users might be tricked into providing sensitive information or downloading malware.
It can also undermine user trust in your application and potentially lead to security breaches if users are redirected to harmful sites.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update the next-intl package to version 4.9.1 or later, where the issue has been patched.