DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-8F24-V5VV-GM5J: GHSA-8f24-v5vv-gm5j: Open Redirect in next-intl Middleware via URL Parsing Discrepancy

#security #cve #cybersecurity #ghsa

GHSA-8f24-v5vv-gm5j: Open Redirect in next-intl Middleware via URL Parsing Discrepancy

Vulnerability ID: GHSA-8F24-V5VV-GM5J
CVSS Score: 5.3
Published: 2026-04-10

An open redirect vulnerability exists in the next-intl middleware for Next.js applications prior to version 4.9.1. The sanitization logic fails to account for WHATWG URL Specification rules regarding ASCII control characters, allowing attackers to craft malicious links that bypass validation and execute protocol-relative redirects to arbitrary external domains.

TL;DR

Unsanitized ASCII control characters in next-intl middleware paths allow unauthenticated attackers to execute open redirects via protocol-relative URLs.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-601
  • Attack Vector: Network
  • CVSS v4.0 Score: Moderate
  • Exploit Status: Proof-of-Concept
  • Impact: Open Redirect / Phishing Enabler
  • Authentication: None Required

Affected Systems

  • Next.js applications utilizing the next-intl middleware for internationalized routing.
  • next-intl: < 4.9.1 (Fixed in: 4.9.1)

Code Analysis

Commit: 1c80b66

Fix open redirect vulnerability in middleware sanitization by stripping ASCII control characters

@@ -1,6 +1,7 @@
 export function sanitizePathname(pathname: string) {
   return pathname
     .replace(/\\/g, '%5C')
+    .replace(/[\t\n\r]/g, '')
     .replace(/\/+/g, '/');
 }
Enter fullscreen mode Exit fullscreen mode

Exploit Details

  • GitHub Advisory: Details regarding the URL manipulation using URL-encoded tab characters (%09).

Mitigation Strategies

  • Upgrade the next-intl npm package to version 4.9.1 or higher.
  • Deploy WAF rules to block HTTP requests containing %09, %0A, or %0D in the URL path.

Remediation Steps:

  1. Identify projects using next-intl by running 'npm list next-intl'.
  2. Update the package version in package.json to '^4.9.1'.
  3. Run 'npm install' or 'yarn install' to pull the latest dependencies.
  4. Deploy the updated application to production environments.
  5. Verify the fix by testing a payload with an encoded tab (e.g., /en/%09/example.com) to ensure it does not resolve to a protocol-relative URL.

References

Read the full report for GHSA-8F24-V5VV-GM5J on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)