The next-intl middleware for Next.js, before version 4.9.1, when configured with localePrefix: 'as-needed', improperly handles certain relative redirect URLs. Specifically, the combination of path handling and the WHATWG URL parser can cause redirects to external hosts via scheme-relative URLs (e.g., starting with '//') or through control characters stripped by the parser. This results in an open redirect vulnerability (CWE-601) that could redirect users from a trusted application URL to an untrusted site. The vulnerability is fixed in next-intl@4.9.1.

An attacker can craft URLs that cause the next-intl middleware to redirect users to arbitrary external websites without user interaction or privileges. This can be used for phishing or redirecting users to malicious sites, potentially undermining user trust in the affected application. The CVSS 4.0 base score is 6.9, indicating a medium severity vulnerability with network attack vector, no privileges or user interaction required, and limited impact on integrity.

Upgrade the next-intl package to version 4.9.1 or later, where this open redirect vulnerability has been patched. Since the vendor advisory indicates the problem has been fixed in version 4.9.1, applying this official fix is the recommended remediation. Patch status is confirmed by the vendor advisory statement.