Vercel Finds 7 Security Vulnerabilities in Cloudflare's AI-Built Next.js Clone
Vercel disclosed 2 critical, 2 high, 2 medium, and 1 low severity vulnerabilities in Cloudflare's Vinext framework - a Next.js reimplementation written almost entirely by Claude AI without human code review.
7 min read
Vercel CEO Guillermo Rauch announced that his company has found and responsibly disclosed seven security vulnerabilities in Cloudflare's Vinext - the AI-built reimplementation of the Next.js API surface that Cloudflare shipped last week.
"We've identified, responsibly disclosed, and confirmed 2 critical, 2 high, 2 medium, 1 low security vulnerabilities in Cloudflare's vibe-coded framework Vinext. We believe the security of the internet is the highest priority, especially in the age of AI. Vibe coding is a useful tool, especially when used responsibly."
- Guillermo Rauch, Vercel CEO
Cloudflare confirmed the vulnerabilities through the disclosure process. The framework was written almost completely by Anthropic's Claude AI across 800+ coding sessions, with the project's own README stating that human oversight was "limited to architecture and design decisions, not line-by-line code review."
TL;DR
- Vercel disclosed 7 vulnerabilities in Cloudflare's Vinext: 2 critical, 2 high, 2 medium, 1 low
- Vinext is a Next.js API reimplementation built by one engineer using Claude AI in under a week for $1,100 in API tokens
- Known vulnerability types include SSRF, broken authentication, missing security headers, and improper path parsing
- Security researcher Sam Curry noted one vulnerability is the same class of bug that existed in Next.js itself two years ago
- Vercel published a "Migrate to Vercel from Cloudflare" guide with the security disclosure
What Vinext Is and How It Was Built
Vinext isn't a fork of Next.js. It's a clean-room reimplementation of 94% of the Next.js 16 API surface, built on Vite instead of Next.js's native Turbopack compiler. The deployment target is Cloudflare Workers.
| Spec | Detail |
|---|---|
| Creator | Steve Faulkner, Engineering Director at Cloudflare |
| Method | 800+ AI coding sessions using Claude via OpenCode |
| Human review | Architecture and design decisions only, not line-by-line |
| Build time | Under one week |
| Cost | ~$1,100 in API tokens |
| API coverage | 94% of Next.js 16 |
| Tests | 1,700+ Vitest unit tests, 380 Playwright E2E tests |
| Status | Experimental - README warns it "hasn't been battle-tested with real production traffic" |
The performance claims are impressive: 4.4x faster builds than Next.js 16 with Turbopack, and 57% smaller client bundles. Cloudflare also introduced Traffic-aware Pre-Rendering, which queries its own analytics at deploy time to pre-render only pages that actually receive traffic.
The README is unusually candid: "This project is an experiment in AI-driven software development. The vast majority of the code, tests, and documentation were written by AI (Claude Code) with human oversight limited to architecture and design decisions, not line-by-line code review."
The Vulnerabilities
What We Know
Vercel has not published a formal security advisory. No CVE IDs have been assigned. The disclosure happened completely through Rauch's X post. What has leaked from reporting and community discussion:
- Server-Side Request Forgery (SSRF) - allowing attackers to invoke requests to arbitrary URLs through the framework
- Broken authentication flows - authorization bypass issues
- Missing security headers - absent defensive HTTP headers that modern frameworks usually ship by default
- Improper path parsing - confirmed by security researcher Sam Curry
The Sam Curry Angle
Security researcher Sam Curry posted a pointed observation:
"Two years ago, I reported an improper path parsing vulnerability in Next.js. Today, they reported the exact same vulnerability to their competitor, Vinext. Funny coincidence."
This is significant for two reasons. First, it suggests the AI reproduced a known vulnerability class from the very framework it was reimplementing - Claude likely trained on Next.js code that contained the flaw, then copied the same pattern. Second, it means Vercel is disclosing a bug class in Vinext that its own product previously contained.
The Tenzai Research Context
The Vinext vulnerabilities align with broader findings from security startup Tenzai, which in January 2026 tested five major AI coding agents (Cursor, Claude Code, Codex, Replit, Devin) across 15 applications and found 69 vulnerabilities. Their key finding: AI agents handle well-known vulnerability classes like SQL injection and XSS reasonably well, but consistently fail on authorization logic and business logic security. All five agents introduced SSRF vulnerabilities - the same category found in Vinext.
As we looked at in our vibe coding guide, the question has never been whether AI can write code. It's whether AI can write code you can trust without reviewing it.
The Competitive Context
This disclosure doesn't exist in a vacuum. Vercel and Cloudflare have been competing for the edge compute and frontend deployment market for years, and the tension has been escalating.
Companies
Why Cloudflare built Vinext: Next.js tooling is tightly coupled to Vercel's infrastructure, making deployment on competing platforms painful. Vinext reimplements the API surface on standard tooling (Vite) specifically so developers can deploy Next.js-style applications on Cloudflare Workers without Vercel. It is a direct competitive threat to Vercel's core business.
Why Vercel disclosed publicly on X: Rauch published a "Migrate to Vercel from Cloudflare" guide with the security disclosure. The strategic intent is explicit. Responsible disclosure is good practice. Combining it with a migration guide is a sales play.
The 2025 precedent: In March 2025, a critical Next.js middleware bypass vulnerability (CVE-2025-29927) allowed attackers to skip middleware execution by manipulating a header. Cloudflare stepped in with a WAF rule to protect all Cloudflare sites, publicly noting what it described as "inadequate communication from Vercel." Now Vercel is returning the favor.
Users
The immediate impact is limited. Vinext is less than two weeks old, explicitly labeled experimental, and the README warns against production use. The only confirmed production deployment is CIO.gov (a U.S. government site). But Cloudflare has confirmed Vinext is a genuine long-term investment backed by an 80-person Workers organization, not a demo.
For developers assessing Vinext, the vulnerabilities raise a valid question: can you build security-critical infrastructure with AI-produced code that was never reviewed line-by-line? The answer, based on the evidence, is not yet.
Competitors
Cloudflare hasn't issued a public statement beyond confirming the vulnerabilities through the disclosure process. The Vinext GitHub repository remains active. In GitHub issue #21, Cloudflare's Steve Faulkner confirmed the project is a genuine investment with existing production customers.
The broader competitive picture: the OpenNext community project has been trying to make Next.js deployable on other platforms for years by reverse-engineering its build output. Vinext takes the more ambitious approach of reimplementing the entire API surface. If the security issues are fixable, the architecture could still prove viable. If they aren't, or if more vulnerabilities surface, Cloudflare's "build it with AI in a week" narrative becomes a cautionary tale.
What Happens Next
| Stakeholder | Likely Next Step | Timeline |
|---|---|---|
| Cloudflare | Patch the 7 vulnerabilities, possibly commission independent security audit | Days to weeks |
| Vercel | Publish formal advisory with technical details if Cloudflare patches are delayed | Weeks |
| Developers | Avoid Vinext for production until post-audit; continue assessing for non-sensitive use | Ongoing |
| AI coding community | Increased scrutiny of "vibe-coded" projects shipping without human security review | Permanent |
The vulnerabilities themselves are fixable. SSRF, auth bypass, missing headers, path parsing - these are well-understood bug classes with well-understood patches. The harder question is structural: Vinext's README says the code wasn't reviewed by humans. That means the patch process requires either human security review of the AI-created codebase (defeating the speed advantage) or asking the AI to fix its own security bugs (creating a loop that AI safety researchers have flagged as unreliable).
Cloudflare's Steve Faulkner built Vinext in under a week for $1,100. The security audit that Vinext now needs will take longer and cost more. That gap - between what AI can build and what humans must verify - is the real story here, and it's not going away.
Seven vulnerabilities in a framework that was written by AI, not reviewed by humans, and rolled out to at least one government website. The build cost $1,100. The security review will cost more. That's the math on vibe coding in 2026: the writing is cheap, the trust is expensive.
Sources:
- Guillermo Rauch vulnerability disclosure - X/Twitter
- Sam Curry response on path parsing vulnerability - X/Twitter
- Vinext - Cloudflare Blog
- Cloudflare Vinext GitHub repository
- Cloudflare Vinext GitHub issue #21
- After Cloudflare Created Vercel's Next.js in a Week Using AI, Vercel Discloses 7 Bugs - OfficeChai
- Cloudflare rebuilds Next.js API with AI - The Register
- Vibe Coding Tested: AI Agents Nail SQLi But Fail on Security Controls - SecurityWeek
- CVE-2025-29927 Cloudflare WAF rule - Cloudflare
