next-intl Open Redirect Vulnerability in Next.js Middleware
Vulnerability
A moderate open redirect vulnerability exists in the next-intl package for Next.js, affecting versions prior to 4.9.1. When the next-intl middleware is used with 'localePrefix: as-needed', it can be exploited to redirect users to external sites. This occurs because the URL parser removes certain control characters, allowing malicious URLs to bypass normal path handling. As a result, users may be redirected away from a trusted application URL without their consent.
Impact
Exploitation of this vulnerability allows for open redirect, where users are sent to an external site while appearing to originate from a trusted application.
Reproduction
The vulnerability can be reproduced by using the next-intl middleware with the 'localePrefix: as-needed' option. Create a URL that includes a TAB character or a backslash, which will be stripped by the WHATWG URL parser. When this URL is processed by the middleware, it will be redirected to an external host, demonstrating the open redirect vulnerability.
Remediation
Users are advised to update to next-intl version 4.9.1, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.