next-intl, Open Redirect Vulnerability, (Moderate)

Listen to this Post

The vulnerability arises in the `next-intl` middleware when `localePrefix: ‘as-needed’` is configured. An attacker crafts a URL containing a scheme-relative redirect target like `//evil.com` or injects control characters (e.g., newline, carriage return) that the WHATWG URL parser strips during resolution. Normally, the middleware processes pathname prefixes for internationalization. However, due to improper validation of relative redirect destinations, the middleware can be tricked into interpreting a maliciously constructed `next` parameter or similar redirect hint as pointing to an external host. For example, a request to `https://trusted.app//evil.com` might be parsed, where the double slash causes the URL parser to treat `evil.com` as the host. The middleware then issues a 307 redirect to that external location, while the user still sees the trusted origin in the address bar briefly. This open redirect bypasses typical same-origin checks because the path handling and URL parser behavior diverge from the middleware’s expectations. The flaw specifically affects versions before the patch, where relative redirect targets were not sanitized against scheme-relative or control-character sequences. An attacker could exploit this for phishing, stealing authorization tokens, or bypassing CSRF protections.
Platform: next-intl
Version: <4.9.1
Vulnerability: Open redirect
Severity: Moderate
date: 2026-04-10

Prediction: 2026-04-10 (already patched)

What Undercode Say:

Check installed version
npm list next-intl
Vulnerable pattern in middleware config
grep -r "localePrefix: 'as-needed'" .
Simulate exploit with curl
curl -i "https://trusted-app.com//evil.com"
curl -i "https://trusted-app.com/%0d%0a//evil.com"
Patch command
npm install [email protected]

Exploit:

Attacker sends a link: `https://trusted-app.com//evil.com/phish`. User clicks, middleware redirects to `https://evil.com/phish` while address bar shows `trusted-app.com` briefly. Control characters like `%0a` or `%0d` bypass filters.

Protection from this CVE:

Update to `[email protected]` or later. If unable to update, add custom middleware validation to reject any redirect target containing `//` at start or control characters. Use `URL` constructor with `trusted` base and compare origin.

Impact:

Phishing attacks, session theft, open redirection to malware sites, bypass of CSRF protections, reputational damage for trusted domains.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top