Security Analysis

Vercel Security Incidents & Best Practices

A comprehensive analysis of security incidents affecting the Vercel platform and applications deployed on it, with actionable guidance for securing your deployments.

Scan Your Vercel App

Vercel Security Overview

Vercel is a leading platform for frontend deployment, powering millions of websites and applications. While Vercel maintains strong security practices, the platform and applications deployed on it have experienced various security incidents over the years.

Understanding these incidents helps developers build more secure applications and configure their Vercel deployments safely.

Notable Security Concerns

Next.js Middleware Authorization Bypass (CVE-2025-29927)

Critical March 2025

A critical vulnerability in Next.js middleware allowed attackers to bypass authorization checks by manipulating the `x-middleware-subrequest` header. This affected self-hosted Next.js applications using middleware for authentication.

Impact

  • • Authorization bypass in middleware-protected routes
  • • Affected self-hosted Next.js applications
  • • Vercel-hosted apps were protected by edge network

Environment Variable Exposure Risks

HighOngoing Risk

Misconfiguration of environment variables remains a common security issue. Developers frequently expose sensitive variables to the client by using the `NEXT_PUBLIC_` prefix incorrectly or including secrets in client-side bundles.

Common Mistakes

  • • Using `NEXT_PUBLIC_` prefix for API keys
  • • Importing server-only modules in client components
  • • Logging secrets in client-side error handlers

Preview Deployment Security

MediumConfiguration Issue

Preview deployments can expose sensitive application states and data if not properly protected. By default, preview URLs are publicly accessible and may contain sensitive features or data not intended for public access.

Risks

  • • Unfinished features exposed to the public
  • • Test data or admin interfaces accessible
  • • Search engines indexing preview URLs

Server-Side Request Forgery (SSRF) in Image Optimization

MediumHistorical

Next.js Image Optimization API has historically been susceptible to SSRF attacks when the `remotePatterns` configuration is too permissive. Attackers could potentially access internal services through the image proxy.

Vercel Security Best Practices

Protect Environment Variables

Never use NEXT_PUBLIC_ prefix for sensitive values. Use server-only environment variables and access them only in server components or API routes.

# Good: Server-only
DATABASE_URL=...
API_SECRET=...

# Only for truly public values
NEXT_PUBLIC_APP_URL=...

Secure Preview Deployments

Enable password protection for preview deployments in Vercel Project Settings → Deployment Protection.

Configure Remote Patterns Strictly

Limit image optimization sources to only necessary domains with specific paths.

// next.config.js
images: {
  remotePatterns: [
    {
      protocol: 'https',
      hostname: 'specific-domain.com',
      pathname: '/images/**',
    },
  ],
}

Enable Vercel Firewall

Use Vercel's Web Application Firewall to protect against common attacks like SQL injection and XSS.

Review Function Permissions

Ensure serverless functions have minimal required permissions and don't expose sensitive operations.

Monitor for Security Headers

Configure security headers in next.config.js or vercel.json to protect against common web vulnerabilities.

v0 (Vercel AI) Security Considerations

v0 by Vercel generates UI components using AI. While powerful, AI-generated code requires careful security review:

  • XSS Vulnerabilities: AI may generate code with dangerouslySetInnerHTML or unescaped user input
  • Insecure Dependencies: Generated code may import outdated or vulnerable packages
  • Authentication Gaps: AI may not implement proper authentication checks
  • Best Practice: Always review and scan AI-generated code before deployment

Secure Your Vercel Deployment

Scan your Vercel-deployed application for security vulnerabilities, exposed secrets, and misconfigurations.

Scan Your App Free

Related Security Resources

Vercel Security OverviewVercel Best Practicesv0 Security OverviewAI Code Vulnerabilities

Last updated: January 2025