Cloudflare Vinext: 45 Vulnerabilities Found in Vibe-Coded Next.js Framework — Session Hijacking, Cache Poisoning, Middleware Bypass
Hacktron AI's independent security analysis of Cloudflare's AI-generated Vinext framework uncovered 45 vulnerabilities with 24 manually validated, including 4 critical flaws: race conditions enabling cross-request state pollution, cache poisoning that serves private user data to all subsequent visitors, and a middleware bypass exposing admin panels to unauthenticated requests. Vercel's Guillermo Rauch separately disclosed 7 confirmed vulnerabilities via responsible disclosure. Cloudflare built Vinext in roughly one week using Claude Code with 'human oversight limited to architecture and design decisions, not line-by-line code review' — the first enterprise-scale proof that vibe-coded production infrastructure ships critical security debt at scale.
Source
↳ Follow the thread