Summary
setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys __proto__, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true, a JSON translation catalog containing a top‑level __proto__ key causes setNestedProperty(result, '__proto__.isAdmin', compiledMessage) to assign onto Object.prototype, polluting every object in the running build process.
Details
Root cause, packages/next-intl/src/extractor/utils.tsx:13-34:
export function setNestedProperty(
obj: Record<string, any>,
keyPath: string,
value: any
): void {
const keys = keyPath.split('.');
let current = obj;
for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (
!(key in current) ||
typeof current[key] !== 'object' ||
current[key] === null
) {
current[key] = {};
}
current = current[key];
}
current[keys[keys.length - 1]] = value;
}
The existence check !(key in current) uses the in operator, which walks the prototype chain. For key === '__proto__', '__proto__' in {} is true (it's inherited from Object.prototype) and typeof current['__proto__'] === 'object' (it is Object.prototype). The guard therefore never re-initializes current[key], and current = current['__proto__'] redirects all subsequent writes onto Object.prototype. The final assignment current[keys[keys.length-1]] = value sets Object.prototype[<attacker key>] = <attacker value>.
Build-time data flow:
packages/next-intl/src/plugin/catalog/catalogLoader.tsx:55-83, the webpack/turbopack loader receives the catalog filesourceand, ifoptions.messages.precompileis enabled, callscodec.decode(source, {locale}).packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx:9-18,decoderunsJSON.parse(source). V8 installs__proto__as an own data property on the result when the JSON key is literally"__proto__"(bypassing the normalObject.prototype.__proto__setter that would otherwise reassign the prototype).JSONCodec.tsx:33-53,traverseMessagesiteratesObject.keys(obj), which for a JSON‑parsed object includes the own__proto__key. It readsobj.__proto__(returns the attacker’s nested object, notObject.prototype, because it's an own property), recurses into it, and emits message id__proto__.isAdmin.catalogLoader.tsx:71,precompileMessages(decoded, cache).catalogLoader.tsx:89-131, for each message, callssetNestedProperty(result, message.id, compiledMessage). Withmessage.id === '__proto__.isAdmin',setNestedPropertywalks intoObject.prototypeand assignsObject.prototype.isAdmin = compiledMessage.
The same sink is also reachable via JSONCodec.encode (JSONCodec.tsx:20-26) and POCodec (packages/next-intl/src/extractor/format/codecs/POCodec.tsx:87) during extraction, both of which feed attacker-influenced message.id values into setNestedProperty, but those paths require control of source-code identifiers, which is a weaker attack vector than the build-time catalog path above.
After pollution, every subsequent object access during the remainder of the Next.js build pipeline (webpack, turbopack, babel, next-intl’s own logic) inherits the attacker-controlled properties. This is a classic gadget-chain precondition for corrupting build-tool internals and tampering with generated bundles, since many build tools use patterns like if (obj.someFlag) or options[key] ?? default that are sensitive to polluted prototypes.
Trust boundary note: next-intl’s message catalogs are realistically attacker-influenced in practice. Translation files are routinely round-tripped through external TMS systems (Crowdin, Lokalise, Transifex), accepted via community locale PRs, or pulled from third-party translation packages, any of which can carry a crafted __proto__ key unnoticed, since JSON translation diffs are usually merged with minimal scrutiny.
PoC
Prerequisites: a Next.js project using next-intl ≤ 4.9.1 with the Next.js plugin configured:
// next.config.ts
import createNextIntlPlugin from 'next-intl/plugin';
const withNextIntl = createNextIntlPlugin({
experimental: {
messages: {
path: './messages',
format: 'json',
locales: 'infer',
precompile: true
}
}
});
export default withNextIntl({});
Drop a malicious catalog at
messages/en.json:{ "Greeting": "Hello", "__proto__": { "isAdmin": "polluted" } }Run
next build(ornext dev). ThecatalogLoaderwill invokeJSONCodec.decode→traverseMessages→precompileMessages→setNestedProperty.Minimal reproduction of the sink itself (verified locally against the v4.9.1 source):
function setNestedProperty(obj, keyPath, value) { const keys = keyPath.split('.'); let current = obj; for (let i = 0; i < keys.length - 1; i++) { const key = keys[i]; if (!(key in current) || typeof current[key] !== 'object' || current[key] === null) { current[key] = {}; } current = current[key]; } current[keys[keys.length - 1]] = value; } setNestedProperty({}, '__proto__.isAdmin', 'PWNED'); console.log(({}).isAdmin); // -> "PWNED"Output:
PWNED.Full chain reproduction (also verified):
const parsed = JSON.parse('{"Greeting":"Hello","__proto__":{"isAdmin":"polluted"}}'); // traverseMessages emits: [{id:"Greeting",message:"Hello"},{id:"__proto__.isAdmin",message:"polluted"}] // precompileMessages then calls setNestedProperty(result, "__proto__.isAdmin", "polluted") console.log(({}).isAdmin); // -> "polluted"After the loader runs,
({}).isAdmin === 'polluted'for the remainder of the build Node process.
Impact
Object.prototypeis polluted for the lifetime of the build‑time Node.js process, affecting every object created or inspected thereafter in the Next.js build pipeline (webpack/turbopack loaders, babel plugins, next-intl’s own codecs, user plugins).- Classic CWE-1321 gadget-chain precondition: downstream tools that branch on
obj.someFlag,options[key] ?? default,if (!config.noX), etc. can be coerced into unintended behavior, including emitting tampered bundles. - Realistic delivery vectors include TMS round-trips (Crowdin/Lokalise/Transifex), community locale PRs, and compromised/transitively-installed translation packages, all situations where a JSON catalog diff is routinely accepted without the scrutiny given to code changes.
- Exploitation requires the user to opt in to the
experimental.messages+precompileconfiguration. Users who do not use the extractor/precompile features are not affected.
GHSA-4C35-WCG5-MM9H has a CVSS score of 4.2 (Medium). The vector is requires local access, low privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (4.9.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Reject reserved keys in setNestedProperty and stop using the in operator for the existence check. A minimal patch to packages/next-intl/src/extractor/utils.tsx:
const FORBIDDEN_KEYS = new Set(['__proto__', 'constructor', 'prototype']);
export function setNestedProperty(
obj: Record<string, any>,
keyPath: string,
value: any
): void {
const keys = keyPath.split('.');
for (const key of keys) {
if (FORBIDDEN_KEYS.has(key)) {
throw new Error(`Invalid message id segment: ${key}`);
}
}
let current = obj;
for (let i = 0; i < keys.length - 1; i++) {
const key = keys[i];
if (
!Object.prototype.hasOwnProperty.call(current, key) ||
typeof current[key] !== 'object' ||
current[key] === null
) {
current[key] = Object.create(null);
}
current = current[key];
}
current[keys[keys.length - 1]] = value;
}
Additionally:
- In
packages/next-intl/src/extractor/format/codecs/JSONCodec.tsx, maketraverseMessagesskip reserved keys (or switch toObject.create(null)+Object.hasOwnsemantics) so that a malicious catalog is rejected early with a clear error rather than producing__proto__.*message ids. - In
packages/next-intl/src/plugin/catalog/catalogLoader.tsx, initializeprecompileMessages’sresultwithObject.create(null)as defense in depth, so even if a key slipped through it could not redirect throughObject.prototype.
Frequently Asked Questions
- What is GHSA-4C35-WCG5-MM9H? GHSA-4C35-WCG5-MM9H is a medium-severity security vulnerability in next-intl (npm), affecting versions <= 4.9.1. It is fixed in 4.9.2.
- How severe is GHSA-4C35-WCG5-MM9H? GHSA-4C35-WCG5-MM9H has a CVSS score of 4.2 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of next-intl are affected by GHSA-4C35-WCG5-MM9H? next-intl (npm) versions <= 4.9.1 is affected.
- Is there a fix for GHSA-4C35-WCG5-MM9H? Yes. GHSA-4C35-WCG5-MM9H is fixed in 4.9.2. Upgrade to this version or later.
- Is GHSA-4C35-WCG5-MM9H exploitable, and should I be worried? Whether GHSA-4C35-WCG5-MM9H is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-4C35-WCG5-MM9H is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-4C35-WCG5-MM9H? Upgrade
next-intlto 4.9.2 or later.