Skip to content

🚨 [security] Update next-intl 4.3.12 → 4.11.0 (minor)#177

Open
depfu[bot] wants to merge 1 commit into
mainfrom
depfu/update/npm/next-intl-4.11.0
Open

🚨 [security] Update next-intl 4.3.12 → 4.11.0 (minor)#177
depfu[bot] wants to merge 1 commit into
mainfrom
depfu/update/npm/next-intl-4.11.0

Conversation

@depfu

@depfu depfu Bot commented May 6, 2026

Copy link
Copy Markdown
Contributor

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!


Here is everything you need to know about this update. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ next-intl (4.3.12 → 4.11.0) · Repo · Changelog

Security Advisories 🚨

🚨 next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys

Summary

setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys __proto__, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true, a JSON translation catalog containing a top‑level __proto__ key causes setNestedProperty(result, '__proto__.isAdmin', compiledMessage) to assign onto Object.prototype, polluting every object in the running build process.

Details

Root cause — packages/next-intl/src/extractor/utils.tsx:13-34:

export function setNestedProperty(
  obj: Record<string, any>,
  keyPath: string,
  value: any
): void {
  const keys = keyPath.split('.');
  let current = obj;

for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (
!(key in current) ||
typeof current[key] !== 'object' ||
current[key] === null
) {
current[key] = {};
}
current = current[key];
}

current[keys[keys.length - 1]] = value;
}

The existence check !(key in current) uses the in operator, which walks the prototype chain. For key === '__proto__', '__proto__' in {} is true (it's inherited from Object.prototype) and typeof current['__proto__'] === 'object' (it is Object.prototype). The guard therefore never re-initializes current[key], and current = current['__proto__'] redirects all subsequent writes onto Object.prototype. The final assignment current[keys[keys.length-1]] = value sets Object.prototype[<attacker key>] = <attacker value>.

Build-time data flow:

  1. packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83 — the webpack/turbopack loader receives the catalog file source and, if options.messages.precompile is enabled, calls codec.decode(source, {locale}).
  2. packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18decode runs JSON.parse(source). V8 installs __proto__ as an own data property on the result when the JSON key is literally "__proto__" (bypassing the normal Object.prototype.__proto__ setter that would otherwise reassign the prototype).
  3. JSONCodec.tsx:33-53traverseMessages iterates Object.keys(obj), which for a JSON‑parsed object includes the own __proto__ key. It reads obj.__proto__ (returns the attacker’s nested object, not Object.prototype, because it's an own property), recurses into it, and emits message id __proto__.isAdmin.
  4. catalogLoader.tsx:71precompileMessages(decoded, cache).
  5. catalogLoader.tsx:89-131 — for each message, calls setNestedProperty(result, message.id, compiledMessage). With message.id === '__proto__.isAdmin', setNestedProperty walks into Object.prototype and assigns Object.prototype.isAdmin = compiledMessage.

The same sink is also reachable via JSONCodec.encode (JSONCodec.tsx:20-26) and POCodec (packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87) during extraction, both of which feed attacker-influenced message.id values into setNestedProperty — but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.

After pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl’s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like if (obj.someFlag) or options[key] ?? default that are sensitive to polluted prototypes.

Trust boundary note: next-intl’s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages — any of which can carry a crafted __proto__ key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.

PoC

Prerequisites: a Next.js project using next-intl ≤ 4.9.1 with the Next.js plugin configured:

// next.config.ts
import createNextIntlPlugin from 'next-intl/plugin';

const withNextIntl = createNextIntlPlugin({
experimental: {
messages: {
path: './messages',
format: 'json',
locales: 'infer',
precompile: true
}
}
});

export default withNextIntl({});

  1. Drop a malicious catalog at messages/en.json:

    {
      "Greeting": "Hello",
      "__proto__": { "isAdmin": "polluted" }
    }
  2. Run next build (or next dev). The catalogLoader will invoke JSONCodec.decodetraverseMessagesprecompileMessagessetNestedProperty.

  3. Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):

    function setNestedProperty(obj, keyPath, value) {
      const keys = keyPath.split('.');
      let current = obj;
      for (let i = 0; i < keys.length - 1; i++) {
        const key = keys[i];
        if (!(key in current) || typeof current[key] !== 'object' || current[key] === null) {
          current[key] = {};
        }
        current = current[key];
      }
      current[keys[keys.length - 1]] = value;
    }
    

    setNestedProperty({}, 'proto.isAdmin', 'PWNED');
    console.log(({}).isAdmin); // -> "PWNED"

    Output: PWNED.

  4. Full chain reproduction (also verified):

    const parsed = JSON.parse('{"Greeting":"Hello","__proto__":{"isAdmin":"polluted"}}');
    // traverseMessages emits: [{id:"Greeting",message:"Hello"},{id:"__proto__.isAdmin",message:"polluted"}]
    // precompileMessages then calls setNestedProperty(result, "__proto__.isAdmin", "polluted")
    console.log(({}).isAdmin); // -> "polluted"

    After the loader runs, ({}).isAdmin === 'polluted' for the remainder of the build Node process.

Impact

  • Object.prototype is polluted for the lifetime of the build‑time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl’s own codecs, user plugins).
  • Classic CWE-1321 gadget-chain precondition: downstream tools that branch on obj.someFlag, options[key] ?? default, if (!config.noX), etc. can be coerced into unintended behavior, including emitting tampered bundles.
  • Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages — all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.
  • Exploitation requires the user to opt in to the experimental.messages + precompile configuration. Users who do not use the extractor/precompile features are not affected.

Recommended Fix

Reject reserved keys in setNestedProperty and stop using the in operator for the existence check. A minimal patch to packages/next-intl/src/extractor/utils.tsx:

const FORBIDDEN_KEYS = new Set(['__proto__', 'constructor', 'prototype']);

export function setNestedProperty(
obj: Record<string, any>,
keyPath: string,
value: any
): void {
const keys = keyPath.split('.');
for (const key of keys) {
if (FORBIDDEN_KEYS.has(key)) {
throw new Error(Invalid message id segment: <span class="pl-s1"><span class="pl-kos">${</span><span class="pl-s1">key</span><span class="pl-kos">}</span></span>);
}
}

let current = obj;
for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (
!Object.prototype.hasOwnProperty.call(current, key) ||
typeof current[key] !== 'object' ||
current[key] === null
) {
current[key] = Object.create(null);
}
current = current[key];
}

current[keys[keys.length - 1]] = value;
}

Additionally:

  • In packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx, make traverseMessages skip reserved keys (or switch to Object.create(null) + Object.hasOwn semantics) so that a malicious catalog is rejected early with a clear error rather than producing __proto__.* message ids.
  • In packages/next-intl/src/plugin/catalog/catalogLoader.tsx, initialize precompileMessages’s result with Object.create(null) as defense in depth, so even if a key slipped through it could not redirect through Object.prototype.

🚨 next-intl has an open redirect vulnerability

Impact

Applications using the next-intl middleware with localePrefix: 'as-needed' could construct URLs where path handling and the WHATWG URL parser resolved a relative redirect target to another host (e.g. scheme-relative // or control characters stripped by the URL parser), so the middleware could redirect the browser off-site while the user still started from a trusted app URL.

Patches

The problem has been patched, please update to next-intl@4.9.1.

Credits

Many thanks to Joni Liljeblad from Oura for responsibly disclosing the vulnerability and for suggesting the fix.

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

↗️ @​formatjs/icu-messageformat-parser (indirect, 2.11.4 → 3.5.7) · Repo · Changelog

Release Notes

3.5.6 (from changelog)

Note: Version bump only for package @formatjs/icu-messageformat-parser

3.5.5 (from changelog)

Note: Version bump only for package @formatjs/icu-messageformat-parser

3.5.4 (from changelog)

Bug Fixes

  • @formatjs/icu-messageformat-parser: use Map.has() instead of in operator in collectVariables (#6242) (bab9109) - by @longlho

Reverts

3.5.3 (from changelog)

Note: Version bump only for package @formatjs/icu-messageformat-parser

3.5.2 (from changelog)

Note: Version bump only for package @formatjs/icu-messageformat-parser

Does any of this look wrong? Please let us know.

↗️ intl-messageformat (indirect, 10.7.18 → 11.2.4) · Repo · Changelog

Release Notes

11.2.3 (from changelog)

Note: Version bump only for package intl-messageformat

11.2.2 (from changelog)

Note: Version bump only for package intl-messageformat

11.2.1 (from changelog)

Bug Fixes

Reverts

11.2.0 (from changelog)

Features

  • @formatjs/ecma402-abstract: migrate from decimal.js to @formatjs/bigdecimal (#6148) (93744d4) - by @longlho

11.1.3 (from changelog)

Note: Version bump only for package intl-messageformat

Does any of this look wrong? Please let us know.

🆕 @​parcel/watcher (added, 2.5.6)

🆕 @​parcel/watcher-android-arm64 (added, 2.5.6)

🆕 @​parcel/watcher-darwin-arm64 (added, 2.5.6)

🆕 @​parcel/watcher-darwin-x64 (added, 2.5.6)

🆕 @​parcel/watcher-freebsd-x64 (added, 2.5.6)

🆕 @​parcel/watcher-linux-arm-glibc (added, 2.5.6)

🆕 @​parcel/watcher-linux-arm-musl (added, 2.5.6)

🆕 @​parcel/watcher-linux-arm64-glibc (added, 2.5.6)

🆕 @​parcel/watcher-linux-arm64-musl (added, 2.5.6)

🆕 @​parcel/watcher-linux-x64-glibc (added, 2.5.6)

🆕 @​parcel/watcher-linux-x64-musl (added, 2.5.6)

🆕 @​parcel/watcher-win32-arm64 (added, 2.5.6)

🆕 @​parcel/watcher-win32-ia32 (added, 2.5.6)

🆕 @​parcel/watcher-win32-x64 (added, 2.5.6)

🆕 @​swc/core-darwin-arm64 (added, 1.15.33)

🆕 @​swc/core-darwin-x64 (added, 1.15.33)

🆕 @​swc/core-linux-arm-gnueabihf (added, 1.15.33)

🆕 @​swc/core-linux-arm64-gnu (added, 1.15.33)

🆕 @​swc/core-linux-arm64-musl (added, 1.15.33)

🆕 @​swc/core-linux-ppc64-gnu (added, 1.15.33)

🆕 @​swc/core-linux-s390x-gnu (added, 1.15.33)

🆕 @​swc/core-linux-x64-gnu (added, 1.15.33)

🆕 @​swc/core-linux-x64-musl (added, 1.15.33)

🆕 @​swc/core-win32-arm64-msvc (added, 1.15.33)

🆕 @​swc/core-win32-ia32-msvc (added, 1.15.33)

🆕 @​swc/core-win32-x64-msvc (added, 1.15.33)

🆕 @​swc/counter (added, 0.1.3)

🆕 @​swc/types (added, 0.1.26)

🆕 icu-minify (added, 4.11.0)

🆕 next-intl-swc-plugin-extractor (added, 4.11.0)

🆕 @​swc/core (added, 1.15.33)

🆕 node-addon-api (added, 7.1.1)

🆕 po-parser (added, 2.1.1)

🆕 @​formatjs/intl-localematcher (added, 0.8.6)

🆕 @​swc/helpers (added, 0.5.21)

🆕 picomatch (added, 4.0.4)

🗑️ @​formatjs/ecma402-abstract (removed)

🗑️ @​formatjs/intl-localematcher (removed)

🗑️ @​formatjs/intl-localematcher (removed)


Depfu Status

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands
@​depfu rebase
Rebases against your default branch and redoes this update
@​depfu recreate
Recreates this PR, overwriting any edits that you've made to it
@​depfu merge
Merges this PR once your tests are passing and conflicts are resolved
@​depfu cancel merge
Cancels automatic merging of this PR
@​depfu close
Closes this PR and deletes the branch
@​depfu reopen
Restores the branch and reopens this PR (if it's closed)
@​depfu pause
Ignores all future updates for this dependency and closes this PR
@​depfu pause [minor|major]
Ignores all future minor/major updates for this dependency and closes this PR
@​depfu resume
Future versions of this dependency will create PRs again (leaves this PR as is)

@depfu depfu Bot added dependencies Pull requests that update a dependency file depfu labels May 6, 2026
@depfu depfu Bot assigned Skolaczk May 6, 2026
@depfu depfu Bot requested a review from Skolaczk May 6, 2026 18:05
@vercel

vercel Bot commented May 6, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
next-starter Error Error May 6, 2026 6:06pm

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file depfu

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant