Tanguy February 27, 2026 5 min read 1 view

7 Bugs, 7 Hours: The Vercel vs Vinext Security Drama Explained

Cloudflare vs Big Cloud

Act 1: Cloudflare Drops Vinext

One engineer. One AI. One week. $1,100 in tokens.

On February 26, Cloudflare open-sourced Vinext — a Vite-powered drop-in replacement for the Next.js API surface. Not a toy. Not a demo. A framework already deployed on CIO.gov, with numbers that made the React ecosystem take notice:

94% API coverage of Next.js surface

4.4x faster builds vs Next.js 16 + Turbopack

56% smaller bundles client-side output

$1,100 total AI cost 800+ Claude sessions, 1 engineer

Vinext ships with 1,700 unit tests, 380 E2E tests, full TypeScript checking, and is MIT-licensed.

The README is upfront: Vinext is experimental. It says so in bold. The project invites contributions, bug reports, security disclosures — the whole open-source playbook.

Act 2: Vercel's CEO Fires Back

Within hours — not days, not weeks — hours — Guillermo Rauch, CEO of Vercel, posted this:

Guillermo Rauch @rauchg

Feb 26, 2026

"We've identified, responsibly disclosed, and confirmed 2 critical, 2 high, 2 medium, 1 low security vulnerabilities in Cloudflare's vibe-coded framework Vinext. We believe the security of the internet is the highest priority, especially in the age of AI."

At the same time, Vercel published a "Migrate to Vercel from Cloudflare" page.

Let that sink in. A CEO publicly disclosed vulnerabilities in an experimental open-source competitor — and launched a marketing campaign on the same tweet.

Act 3: The Timeline

Morning

Cloudflare launches Vinext

Open-source. Experimental. MIT license. "Help us improve it."

Hours later

Rauch tweets 7 vulnerabilities

2 critical, 2 high, 2 medium, 1 low. Published on CEO's personal X account.

Same moment

Vercel publishes migration guide

"Migrate to Vercel from Cloudflare" — released alongside the vulnerability tweet.

Evening

Developer community pushes back

Security researchers and devs call out the timing and motive.

Act 4: The Receipts

Security researcher Sam Curry dropped the mic:

Sam Curry @samwcyo

Feb 26, 2026

"Two years ago, I reported an improper path parsing vulnerability in Next.js. Today, they reported the exact same vulnerability to their competitor, Vinext. Funny coincidence."

Read that again. The vulnerability class Vercel "found" in Vinext? They already knew about it because someone reported the same bug in their own framework.

And speaking of Next.js vulnerabilities — here's what Vercel has shipped to production in the past two years:

Next.js — in production

CVSS 10.0 React2Shell — unauthenticated RCE. Default create-next-app was exploitable. State actors exploited it within hours.

CVSS 9.1 Middleware auth bypass — one header skips all auth.

Critical SSRF — CVE-2026-23864, disclosed Feb 2026.

Vinext — experimental

1 week old Explicitly labelled experimental in README.

7 bugs Found by a direct competitor within hours of launch.

Open source MIT license. Contributions and bug reports welcomed.

One of these shipped a CVSS 10.0 RCE to millions of production sites. The other is a week-old experiment.

Act 5: What Developers Said

anil @anilkilic

"This is not how it plays out. You give them time for their fix, for their patch, and let their users update to the secure version. I've been a user since Zeit but these last few low blows, not landing."

YiChu @Go7hic

"Vinext has already stated it's still an experimental version, so having vulnerabilities is normal. On the other hand, Next.js has been running in production for years, yet still has many high-risk vulnerabilities."

Konstantinos @kostasbotonakis

"Meanwhile non vibe-coded Next.js be like: 'Hold my beer'"

Linking to the NCSC advisory for CVE-2025-29927

superscribe.io @superscribeio

"Vibe-coded security holes are just regular security holes with better marketing. The real question is whether agents find them faster than humans write them."

Act 6: How This Should Have Played Out

There are well-established, elegant ways for companies to help open-source competitors fix security issues. Vercel ignored all of them.

Open a GitHub Security Advisory

Private. Structured. Gives maintainers time to respond. This is the industry standard.

Submit PRs with fixes

Don't just point at problems — help solve them. That's what open source is for.

Coordinate a 90-day disclosure

Give maintainers a window. Disclose publicly after users can patch. Google Project Zero does this.

Contribute security tests

Add fuzzing, pen-test suites, or hardened test cases to the project. Lift the whole ecosystem.

Tweet from CEO + migration guide

This is what Vercel chose. Hours after launch. On the CEO's personal account. With a sales page.

Four constructive options. Vercel picked the fifth.

Act 7: Why It Actually Matters

This isn't just drama. It's about the future of the web framework ecosystem.

Next.js has a structural problem: it's tightly coupled to Vercel's infrastructure. Deploying on Cloudflare, AWS, or self-hosted has always been painful. That's not accidental — it's the business model. Vercel makes money when Next.js is hard to deploy elsewhere.

Vinext breaks that lock-in. A vendor-neutral, Vite-based implementation that deploys anywhere — including on Vercel itself. That's not a security threat. It's a business threat.

The Lock-In

Next.js works best on Vercel. Always has. Deploying elsewhere means missing features, slower builds, broken edge functions. That's by design.

The Threat

Vinext reimplements the API on Vite. Deploy anywhere. No vendor lock-in. A PoC already runs on Vercel itself. That's an existential problem for the business model.

The Response

Not a GitHub issue. Not a PR. Not a private email. A CEO tweet with a vulnerability count and a migration page. The message is clear: fear, not help.

The Bottom Line

Every open-source project ships with bugs. That's the deal. You open the code, people find issues, you fix them together. That's how it works.

But weaponising vulnerability disclosures — against an experimental project, within hours, alongside a marketing push — that's not security. That's sabotage with a press release.

Next.js shipped a CVSS 10.0 RCE that was exploited by nation-state actors. Vinext is one week old and labelled experimental. The question isn't whether Vinext has bugs. The question is why the CEO of Vercel chose to make it a spectacle instead of opening a pull request.

10.0 Next.js CVSS score React2Shell — production RCE

1 week Vinext age at disclosure Experimental. Open source.

0 PRs submitted by Vercel To fix the bugs they found