Open Redirect
CVE-2026-40299
MEDIUM
Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5Blast Radius
ecosystem impact- 1 npm packages depend on next-intl (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 4.9.1.
DescriptionGitHub Advisory
next-intl provides internationalization for Next.js. Applications using the next-intl middleware prior to version 4.9.1with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative // or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL. The problem has been patchedin next-intl@4.9.1.
AnalysisAI
Open redirect vulnerability in next-intl middleware prior to version 4.9.1 allows remote attackers to craft malicious URLs that bypass path handling validation when localePrefix: 'as-needed' is configured, redirecting users to arbitrary hosts via scheme-relative URLs or control characters that the WHATWG URL parser strips. Unauthenticated attackers can exploit this through social engineering (phishing links) to redirect users from trusted application URLs to attacker-controlled domains. Patch available in next-intl@4.9.1.
Technical ContextAI
The vulnerability stems from CWE-601 (URL redirection to untrusted site) in the next-intl internationalization middleware for Next.js applications. The root cause is improper validation of redirect targets when the middleware is configured with localePrefix: 'as-needed'. The WHATWG URL parser implementation handles relative URL resolution differently than expected; attackers can exploit this by constructing URLs with scheme-relative paths (e.g., //attacker.com) or embedding control characters that are stripped during parsing, causing the middleware to resolve these as valid redirect targets to external hosts. The vulnerability affects the path-handling logic that determines locale prefixes and redirect behavior in Next.js routing middleware, allowing attackers to inject crafted path segments that bypass validation checks. The CPE cpe:2.3:a:amannn:next-intl:*:*:*:*:*:*:*:* indicates all versions prior to 4.9.1 are affected.
RemediationAI
Upgrade next-intl to version 4.9.1 or later immediately. In package.json, update the dependency from any version before 4.9.1 to "next-intl": "^4.9.1" and run npm install or yarn upgrade depending on your package manager. If immediate patching is not feasible, implement strict URL validation in your Next.js application by adding middleware that explicitly whitelists allowed redirect targets and rejects scheme-relative URLs (//) or URLs containing control characters before passing them to next-intl's redirect handling. Alternatively, if using localePrefix: 'as-needed', temporarily reconfigure to localePrefix: 'always' until the patch can be deployed, which changes the locale prefix behavior and may mitigate the vulnerability depending on your locale routing logic. Document the configuration change and test application functionality thoroughly before deploying to production, as this alters user-facing URL structure. Monitor application logs for unusual redirect patterns or users reporting unexpected redirects to external domains.
More in Open Redirect
View allA malicious third-party can give a crafted "ssh://..." URL to an unsuspecting victim, and an attempt to visit the URL ca
GFI Kerio Control versions 9.2.5 through 9.4.5 contain an HTTP response splitting vulnerability in the dest parameter of
PHP through 7.0.8 does not attempt to address RFC 3875 section 4.1.18 namespace conflicts and therefore does not protect
Multiple open redirect vulnerabilities in Apache Struts 2.0.0 through 2.3.15 allow remote attackers to redirect users to
Open redirect vulnerability in age-verification.php in the Age Verification plugin 0.4 and earlier for WordPress allows
Open redirect vulnerability in Kaseya Virtual System Administrator (VSA) 7.x before 7.0.0.29, 8.x before 8.0.0.18, 9.0 b
Vulnerability in the Oracle Applications Framework component of Oracle E-Business Suite (subcomponent: Popup windows (li
Unspecified vulnerability in the Oracle Application Server Single Sign-On component in Oracle Fusion Middleware 10.1.4.3
Flarum is open source discussion platform software. Rated medium severity (CVSS 6.5), this vulnerability is remotely exp
Open redirect vulnerability in Novius OS 5.0.1 (Elche) allows remote attackers to redirect users to arbitrary web sites
Open redirect vulnerability in the Redirect function in stageshow_redirect.php in the StageShow plugin before 5.0.9 for
Nteract v.0.28.0 was discovered to contain a remote code execution (RCE) vulnerability via the Markdown link. Rated crit
Vendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today