GHSA-4c35-wcg5-mm9h: next-intl has prototype pollution with `experimental.messages.precompile` via attacker-controlled translation catalog keys

May 6, 2026

setNestedProperty in packages/next-intl/src/extractor/utils.tsx walks a dotted key path and assigns the final value without blocking the reserved keys __proto__, constructor, or prototype. When the next-intl Next.js plugin is configured with experimental.messages and messages.precompile: true, a JSON translation catalog containing a top‑level __proto__ key causes setNestedProperty(result, '__proto__.isAdmin', compiledMessage) to assign onto Object.prototype, polluting every object in the running build process.

References

github.com/advisories/GHSA-4c35-wcg5-mm9h
github.com/amannn/next-intl
github.com/amannn/next-intl/security/advisories/GHSA-4c35-wcg5-mm9h

Code Behaviors & Features

Detect and mitigate GHSA-4c35-wcg5-mm9h with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →