CVE-2026-40299: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in amannn next-intl
next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `next-intl@4.9.1`.
AI Analysis
Technical Summary
The next-intl middleware for Next.js, before version 4.9.1, when configured with localePrefix: 'as-needed', improperly handles URL redirects. Specifically, the path handling combined with the WHATWG URL parser can interpret relative redirect targets (such as scheme-relative URLs starting with // or URLs with control characters stripped) as external hosts. This results in an open redirect vulnerability (CWE-601), allowing attackers to redirect users from a trusted application URL to an untrusted external site. The vulnerability has been addressed in next-intl version 4.9.1.
Potential Impact
An attacker could exploit this vulnerability to redirect users from a trusted application URL to an untrusted external site without user interaction or privileges. This could facilitate phishing or other social engineering attacks by leveraging the trusted origin URL. The CVSS 4.0 base score is 6.9 (medium severity), indicating a moderate risk due to network attack vector, no required privileges or user interaction, and limited impact on integrity.
Mitigation Recommendations
Upgrade next-intl to version 4.9.1 or later, where this open redirect vulnerability has been patched. There is no official vendor advisory provided here, but the description confirms the fix in version 4.9.1. Until upgrading, avoid using localePrefix: 'as-needed' or implement additional validation on redirect URLs to prevent off-site redirection.
CVE-2026-40299: CWE-601: URL Redirection to Untrusted Site ('Open Redirect') in amannn next-intl
Description
next-intl provides internationalization for Next.js. Applications using the `next-intl` middleware prior to version 4.9.1with `localePrefix: 'as-needed'` could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative `//` or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin `next-intl@4.9.1`.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The next-intl middleware for Next.js, before version 4.9.1, when configured with localePrefix: 'as-needed', improperly handles URL redirects. Specifically, the path handling combined with the WHATWG URL parser can interpret relative redirect targets (such as scheme-relative URLs starting with // or URLs with control characters stripped) as external hosts. This results in an open redirect vulnerability (CWE-601), allowing attackers to redirect users from a trusted application URL to an untrusted external site. The vulnerability has been addressed in next-intl version 4.9.1.
Potential Impact
An attacker could exploit this vulnerability to redirect users from a trusted application URL to an untrusted external site without user interaction or privileges. This could facilitate phishing or other social engineering attacks by leveraging the trusted origin URL. The CVSS 4.0 base score is 6.9 (medium severity), indicating a moderate risk due to network attack vector, no required privileges or user interaction, and limited impact on integrity.
Mitigation Recommendations
Upgrade next-intl to version 4.9.1 or later, where this open redirect vulnerability has been patched. There is no official vendor advisory provided here, but the description confirms the fix in version 4.9.1. Until upgrading, avoid using localePrefix: 'as-needed' or implement additional validation on redirect URLs to prevent off-site redirection.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-10T20:22:44.035Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e2a136bdfbbecc5990835c
Added to database: 4/17/2026, 9:08:06 PM
Last enriched: 4/17/2026, 9:23:28 PM
Last updated: 4/21/2026, 8:37:24 AM
Views: 38
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.