Cloudflare Built a Next.js Clone in One Week With AI — Vercel Found 7 Security Holes in Two Days
Cloudflare's experimental vinext framework reimplements the full Next.js API surface on top of Vite and ships 4.4x faster builds. Within 48 hours of release, Vercel disclosed seven vulnerabilities — two of them critical — exposing the limits of AI-generated infrastructure code.
Cloudflare shipped vinext last month — an open-source Vite plugin that reimplements the Next.js API surface so developers can run Next.js applications without the Next.js compiler. One engineer built it in a week using Claude, spending $1,100 in API tokens. On a 33-route test app, production builds finish in 1.67 seconds versus 7.38 seconds with Next.js 16 and Turbopack. That is a 4.4x improvement, and it completely bypasses Vercel’s bundler.
The project sits on GitHub under the cloudflare org. It handles routing, server rendering, and next/* module imports. The goal is portability: run your Next.js codebase anywhere, not just Vercel’s edge network.
Vercel’s response came fast. Within two days of the release, Vercel’s security team disclosed seven vulnerabilities — two rated critical — including Server-Side Request Forgery (SSRF), broken authentication flows, missing security headers, and improper path parsing. Hacktron, an AI-powered security research firm, went further: their tool found 45 vulnerabilities across the codebase, 24 of which were manually validated.
The security research cuts to a real problem with AI-generated infrastructure code. Vinext’s test suite is built around functional requirements — “make it behave like Next.js” — and it does that well. But security vulnerabilities live in the negative space: complex interactions between layers that nobody wrote a test for. An SSRF in a server rendering endpoint isn’t caught by checking that a route returns the right HTML.
Cloudflare has acknowledged the vulnerabilities and is working on patches. The framework is explicitly labeled experimental, and Cloudflare recommends against using it in production until the security issues are resolved.
The broader story here is about the Cloudflare–Vercel relationship, which has been tense for years. Vercel sells developer experience on top of Next.js, which it maintains. Cloudflare offers competing compute at the edge. Vinext lands squarely in that overlap: it lets companies keep the Next.js developer experience while routing away from Vercel’s infrastructure. Vercel responded by publishing a detailed migration guide for moving from Cloudflare to Vercel — a move that reads more like competitive hardball than routine documentation.
For developers: vinext is worth watching, not using in production yet. The build speed improvement is real. The security posture is not there. If you want to evaluate it, spin it up on a non-sensitive project, track the GitHub issue queue, and wait for the post-patch release. The architecture — Vite 8 with Rolldown plus the Next.js API surface — is genuinely interesting and the speed gains suggest Turbopack may have a real competitor.
The $1,100 build cost will become a case study. Not because it proves AI can replace engineers, but because it shows that AI can prototype fast and surface the hard problems that only adversarial review finds.