Vercel Uncovers 7 Vulnerabilities in Cloudflare’s New Framework and Publishes a Migration Guide

After Cloudflare announced an AI‑rewritten Next.js implementation called vinext , Vercel CEO Guillermo Rauch posted on X that Vercel had responsibly disclosed two critical, two high‑severity, two medium‑severity, and one low‑severity security issues in the framework.

Rauch labeled vinext a “vibe‑coded framework,” a pejorative term suggesting AI‑generated code is prone to flaws such as insecure authorization logic and SSRF vulnerabilities, while noting that Cloudflare engineers actually performed over 800 AI coding sessions, wrote more than 1,700 unit tests, 380 end‑to‑end browser tests, and maintained full TypeScript type checking and CI pipelines.

On the same day, Vercel published a comprehensive migration tutorial titled “Migrate to Vercel from Cloudflare.” The guide covers DNS/domain migration (CNAME‑based gradual migration or full Nameserver switch), replacing Cloudflare Workers with Vercel Functions, and detailed storage‑layer migration:

KV → Upstash Redis / Vercel KV

R2 → Vercel Blob

D1 → Neon / Supabase (Postgres)

Durable Objects → No direct replacement; architectural changes required

The tutorial warns that Cloudflare KV lacks an export tool, so developers must script key extraction and import into Redis, which can be costly for large datasets.

Environment variables and secrets should be collected via the Cloudflare Pages UI or wrangler secret put and then configured in Vercel for development, preview, and production environments.

Redirects and custom headers differ between Cloudflare Pages’ _redirects file and Vercel’s vercel.json, requiring manual conversion.

The article also recounts the long‑standing rivalry between Guillermo Rauch and Cloudflare CEO Matthew Prince, including past performance benchmark disputes, outage taunts, and customer poaching, framing the whole episode as a battle for Next.js deployment sovereignty.

While the security disclosure itself is commendable, the timing—coinciding with the migration guide—suggests a strategic move. The author argues that the “vibe‑coded” label unfairly downplays vinext’s engineering rigor, yet acknowledges that any new framework will have vulnerabilities and that the speed of Cloudflare’s remediation will be crucial.

Ultimately, the competition benefits developers by breaking Vercel’s near‑monopoly on Next.js hosting, offering alternatives like vinext, OpenNext, and Netlify, and driving down prices and service improvements across the web‑app infrastructure landscape.