CVE-2026-40299

Description

next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `next-intl@4.9.1`.

CVSS breakdown

CVSS 4.0

Attack Vector

Network

Attack Complexity

Low

Attack Requirements

None

Privileges Required

None

User Interaction

None

Confidentiality (Vulnerable System)

None

Integrity (Vulnerable System)

Low

Availability (Vulnerable System)

None

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

amannn / next-intl< 4.9.1 – < 4.9.1

References

VENDOR_ADVISORYhttps://github.com/amannn/next-intl/security/advisories/GHSA-8f24-v5vv-gm5j
PATCHhttps://github.com/amannn/next-intl/pull/2304
PATCHhttps://github.com/amannn/next-intl/commit/1c80b668aa6d853f470319eec10a3f61e78a70e6
PATCHhttps://github.com/amannn/next-intl/releases/tag/v4.9.1