Vercel's CEO Disclosed Vinext Bugs Within Hours — Here's Why That's a Problem
On February 26, 2026, Cloudflare announced Vinext — an open-source, Vite-powered reimplementation of the Next.js API surface, built by a single engineer directing AI across 800+ sessions in one week, for roughly $1,100 in tokens. It covers 94% of the Next.js API, ships with 1,700+ unit tests and 380 E2E tests, and is already running in production on CIO.gov.
Within hours, Vercel CEO Guillermo Rauch tweeted:
"We've identified, responsibly disclosed, and confirmed 2 critical, 2 high, 2 medium, 1 low security vulnerabilities in Cloudflare's vibe-coded framework Vinext. We believe the security of the internet is the highest priority, especially in the age of AI."
He then published a "Migrate to Vercel from Cloudflare" guide at the same time. This wasn't a security advisory. It was a marketing campaign disguised as one.
What Actually Happened
Let's be clear about the timeline:
Vinext is an experimental, open-source project. Its README says so. Its docs say so. Nobody is pretending it's battle-tested. Disclosing vulnerabilities in an experimental open-source project — within hours of launch, paired with a marketing push — isn't responsible disclosure. It's competitive sabotage wearing a security hat.
The Irony: Next.js's Own Security Track Record
If Vercel truly believes "the security of the internet is the highest priority," they might want to look at their own framework first.
| CVE | Severity | What it did |
|---|---|---|
| CVE-2025-29927 | CVSS 9.1 | Middleware authorization bypass. Any Next.js app using middleware for auth could be completely bypassed with a single header. |
| CVE-2025-55182 | CVSS 10.0 | React2Shell — unauthenticated remote code execution via React Server Components. Default create-next-app builds were exploitable. China-nexus threat groups began exploitation within hours. |
| CVE-2026-23864 | Critical | Server-Side Request Forgery in Next.js, disclosed Feb 2026. |
CVE-2025-55182 alone triggered security advisories from AWS, Google Cloud, Microsoft, Cisco, and Palo Alto Networks. This wasn't an edge case in an experimental project. It was an unauthenticated RCE in the default configuration of the most popular React framework in the world, running in production on millions of sites.
And yet nobody from Cloudflare held a press conference about it.
Sam Curry Said It Best
"Two years ago, I reported an improper path parsing vulnerability in Next.js. Today, they reported the exact same vulnerability to their competitor, Vinext. Funny coincidence."
— Sam Curry (@samwcyo), security researcher
The same class of vulnerability that Vercel's team "discovered" in Vinext had already existed in their own framework. They didn't discover a new attack vector — they already knew where to look because they'd been told about it in their own codebase.
What the Community Said
The developer community wasn't fooled:
@anilkilic
"This is not how it plays out. You give them time for their fix, for their patch, and let their users update to the secure version. I've been a user since Zeit but these last few low blows, not landing."
@Go7hic
"Vinext has already stated it's still an experimental version, so having vulnerabilities is normal. On the other hand, Next.js has been running in production for years, yet still has many high-risk vulnerabilities."
@DontFearAI
"I am no longer impressed that 1 developer at Cloudflare vibe-coded Vinext in a week." (Sarcasm — reacting to how Vercel framed it as reckless)
@kostasbotonakis
"Meanwhile non vibe-coded Next.js be like: 'Hold my beer'" (Referencing the NCSC advisory for CVE-2025-29927)
How Responsible Disclosure Actually Works
There's a well-established process for handling vulnerabilities in open-source projects. Vercel knows this — they've been on the receiving end of it many times. Here's what it looks like:
Responsible Disclosure
- Report privately to maintainers
- Give 90 days to develop a fix
- Coordinate a patch release
- Disclose publicly after users can update
- Credit the maintainers for the fix
What Vercel Did
- Found bugs in an experimental project
- Disclosed on CEO's Twitter within hours
- Published a migration guide same day
- Framed it as a "vibe-coded" security risk
- No time given to patch before going public
Better Ways to Help
If Vercel genuinely cared about the security of the open-source ecosystem, there were far more constructive options:
The Bigger Picture
Vinext matters because it solves a real problem. Next.js is tightly coupled to Vercel's infrastructure. Deploying it anywhere else — Cloudflare, AWS, self-hosted — has always been painful. Vinext reimplements the Next.js API on top of Vite, making it deployable anywhere. It's open source. A proof of concept already runs on Vercel itself.
That's why Vercel responded the way it did. Not because of security concerns — because of competitive threat. An open-source, vendor-neutral alternative to their proprietary lock-in is an existential risk to their business model.
Vinext (Experimental)
94% Next.js API coverage
4.4x faster builds than Next.js 16
56% smaller client bundles
Open source — deploy anywhere
Next.js (Production)
CVSS 10.0 RCE in default config
CVSS 9.1 middleware auth bypass
State-sponsored exploitation within hours
Vendor-locked to Vercel for best experience
The Takeaway
Every open-source project has bugs. Vinext is weeks old and explicitly experimental. Next.js is years old, runs in production everywhere, and has shipped a CVSS 10.0 RCE that was mass-exploited by nation-state actors.
The difference isn't the bugs. It's the response. Cloudflare open-sourced Vinext and invited the community to improve it. Vercel's CEO tweeted a vulnerability count and a migration guide within hours. One of these is how open source works. The other is how marketing works.
Security researchers, contributors, and users deserve better from the CEO of a company that stewards one of the most popular frameworks on the web.
Related: The Full Vinext Drama Timeline · Cloudflare vs Vercel — The Full Breakdown