Vercel Security Incidents & Best Practices
A comprehensive analysis of security incidents affecting the Vercel platform and applications deployed on it, with actionable guidance for securing your deployments.
Vercel Security Overview
Vercel is a leading platform for frontend deployment, powering millions of websites and applications. While Vercel maintains strong security practices, the platform and applications deployed on it have experienced various security incidents over the years.
Understanding these incidents helps developers build more secure applications and configure their Vercel deployments safely.
Notable Security Concerns
Next.js Middleware Authorization Bypass (CVE-2025-29927)
A critical vulnerability in Next.js middleware allowed attackers to bypass authorization checks by manipulating the `x-middleware-subrequest` header. This affected self-hosted Next.js applications using middleware for authentication.
Impact
- • Authorization bypass in middleware-protected routes
- • Affected self-hosted Next.js applications
- • Vercel-hosted apps were protected by edge network
Environment Variable Exposure Risks
Misconfiguration of environment variables remains a common security issue. Developers frequently expose sensitive variables to the client by using the `NEXT_PUBLIC_` prefix incorrectly or including secrets in client-side bundles.
Common Mistakes
- • Using `NEXT_PUBLIC_` prefix for API keys
- • Importing server-only modules in client components
- • Logging secrets in client-side error handlers
Preview Deployment Security
Preview deployments can expose sensitive application states and data if not properly protected. By default, preview URLs are publicly accessible and may contain sensitive features or data not intended for public access.
Risks
- • Unfinished features exposed to the public
- • Test data or admin interfaces accessible
- • Search engines indexing preview URLs
Server-Side Request Forgery (SSRF) in Image Optimization
Next.js Image Optimization API has historically been susceptible to SSRF attacks when the `remotePatterns` configuration is too permissive. Attackers could potentially access internal services through the image proxy.
Vercel Security Best Practices
Protect Environment Variables
Never use NEXT_PUBLIC_ prefix for sensitive values. Use server-only environment variables and access them only in server components or API routes.
# Good: Server-only
DATABASE_URL=...
API_SECRET=...
# Only for truly public values
NEXT_PUBLIC_APP_URL=...Secure Preview Deployments
Enable password protection for preview deployments in Vercel Project Settings → Deployment Protection.
Configure Remote Patterns Strictly
Limit image optimization sources to only necessary domains with specific paths.
// next.config.js
images: {
remotePatterns: [
{
protocol: 'https',
hostname: 'specific-domain.com',
pathname: '/images/**',
},
],
}Enable Vercel Firewall
Use Vercel's Web Application Firewall to protect against common attacks like SQL injection and XSS.
Review Function Permissions
Ensure serverless functions have minimal required permissions and don't expose sensitive operations.
Monitor for Security Headers
Configure security headers in next.config.js or vercel.json to protect against common web vulnerabilities.
v0 (Vercel AI) Security Considerations
v0 by Vercel generates UI components using AI. While powerful, AI-generated code requires careful security review:
- XSS Vulnerabilities: AI may generate code with dangerouslySetInnerHTML or unescaped user input
- Insecure Dependencies: Generated code may import outdated or vulnerable packages
- Authentication Gaps: AI may not implement proper authentication checks
- Best Practice: Always review and scan AI-generated code before deployment
Secure Your Vercel Deployment
Scan your Vercel-deployed application for security vulnerabilities, exposed secrets, and misconfigurations.
Get Starter ScanRelated Security Resources
Last updated: January 2025