Cloudflare boasted about a single engineer with just $1,100 in AI tokens building “a drop-in replacement for Next.js” in a week. This kicked off a beef with Vercel, which maintains Next.js, a popular web development tool. The ambitious project arrived riddled with security holes, but with enough punch to rattle the industry.
The Next.js framework, built and maintained by Vercel, is technically free and open source and used by millions of developers. But critics have long complained about a hidden moat – engineering decisions that make Next.js work best on Vercel’s own hosting platform.
Developers need specific workarounds and fragile adapters, such as OpenNext, to make their Next.js projects compatible with major platforms like AWS Lambda and Cloudflare Workers.
But Cloudflare has said no more. The tech giant dedicated an entire engineer, along with Claude, who rebuilt a Next.js alternative from scratch. In one week. Spending just $1,100 on tokens.
Last week, the tech giant publicly announced vinext as a reimplementation of the popular front-end framework. Vinext completely bypasses Vercel’s Turbopack, a build tool that converts code into the files browsers actually run: HTML, CSS, and JavaScript.
At vinext’s core is Vite – an open-source alternative build tool that does the same job, but is more universal and maintained by a broader community.
“We already have customers running it in production,” Cloudflare said in a blog post.
“Vinext is built with Cloudflare Workers as the first deployment target. A single command takes you from source code to a running Worker.”
Many developers welcomed the news, as the new solution requires no code changes to deploy to other platforms. However, many also pointed out that it is not a full replacement yet due to some missing features.
It’s no surprise that Vercel is treating the move as an attack on its turf. Vercel counterpunched by releasing a detailed guide on how to migrate from Cloudflare to its platform.
“I also think they're intellectually dishonest and push a lot of low-quality stuff. That's why we exist,” Guillermo Rauch, CEO of Vercel, commented on X.
Bugs plague vinext
The rushed vibe-coded (AI-assisted) deployment of vinext is backfiring.
Just two days after the vinext release, Rauch posted that Vercel identified and “responsibly disclosed” seven vinext vulnerabilities, two of them critical.
“We believe the security of the internet is the highest priority, especially in the age of AI. Vibe coding is a useful tool, especially when used responsibly,” Rauch said.
“Our security research and framework teams are extending their help and expertise to Cloudflare in the interest of the public internet's security.”
Vercel’s CEO also noted that they’re getting paid for the discoveries by Cloudflare's bug bounty program and expressed willingness to donate the funds to “interesting AI and cybersecurity research teams or open source projects.”
Independent security researchers followed, disclosing dozens more bugs affecting vinext.
Hacktron’s researcher released a report that their AI tool found 45 vulnerabilities, 24 of which were manually validated.
“I knew it was going to be a goldmine,” the report dubbed “Vibe-hacking Cloudflare’s vibe-coded Next.js replacement” reads.
“The moment I saw the announcement on Twitter, I gave Hacktron context describing the attack surface to look for and went to sleep.”
The researcher explains that complex vibe-coded projects are structurally vulnerable.
The report details four critical vulnerabilities, including race conditions, cross-request state pollution, and unsafe global fallbacks, that lead to data leaks. Hacktron also found seven additional high-severity vulnerabilities, and many more lower-severity bugs.
The worst bug enables attackers to hijack sessions – one user’s request can read another user’s auth token. Another bug can be exploited by hackers to poison the cache, meaning a user's profile with sensitive data could be stored and served to every subsequent visitor to the website. The third-worst bug allows attackers to bypass middleware and walk straight into any password-protected page, such as admin panels.
Still, the researcher acknowledges that vinext, built in one week with one engineer is “an insane showcase of what current models can do.”
“The catch is that most of the tests driving vinext are functional requirements. ‘Make it behave like X,’ ‘match these outputs,’ ‘pass these cases.’ Vulnerabilities do not live there. They live in the negative space, and in complex interactions between layers, the stuff nobody wrote a test for,” the researcher explains.
Cloudflare patching bugs silently?
The Hacktron report also notes that “traditional 90-day disclosure policies aren’t going to hold up when things are shipping at this speed.”
The researchers explain they held off their reporting for only a day while trying to reach the repo owner on Twitter.
“I was thinking of bundling everything into one big report, but interestingly, Vercel’s security team independently flagged a few of the same bugs, and Cloudflare started patching,” the report reads.
“I didn’t get any acknowledgement on GitHub or HackerOne that my reports were received, but the issues did get fixed on GitHub, which is good.”
The report also warns that while vibe-coding makes software building easier, bug hunting doesn’t scale the same way – more shipped code means more search space.
“If your adversary has even slightly more resources, odds are they find what you missed.”
Cybernews has reached out to Cloudflare for comment on the vulnerability disclosures and will include its response.
Cloudflare underscores that the current vinext’s status is experimental. The tech firm acknowledges that “almost every line of code in vinext was written by AI.”
“It’s not even one week old, and it has not yet been battle-tested with any meaningful traffic at scale. If you’re evaluating it for a production application, proceed with appropriate caution,” the blog post reads.
While the bugs are being ironed out, Cloudflare claims that their vinext implementation has significantly faster production build times and smaller client bundle sizes, compared to Next.js.
“The current deployment target is Cloudflare Workers, but that’s a small part of the picture. Something like 95% of vinext is pure Vite. The routing, the module shims, the SSR pipeline, the RSC integration: none of it is Cloudflare-specific. Cloudflare is looking to work with other hosting providers about adopting this toolchain for their customers,” the tech giant promised.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked