Cloudflare’s AI Rewrite Gets 7 Critical Flaws Called Out by Vercel – Who Wins the Framework Wars Now?
Yesterday the frontend world was throwing confetti.
Cloudflare CTO Dane Knecht declared “It’s Next.js Liberation Day” and shipped vinext — a from-scratch Vite reimplementation of Next.js built in one week by one engineer using Claude, $1,100 in tokens, and Next.js’s own massive test suite.
94% API compatibility.
4.4× faster production builds (1.67 s vs 7.38 s).
57% smaller bundles.
Drop-in replacement. No lock-in. Deploy anywhere.
Evan You (Vite creator) called it “VERY cool.”
Engineer Ashley Peacock nailed the vibe: “Jokes aside, it is a good example of where AI shines: when the job is made clear and there’s a lot of information/direction for it to follow.
”It felt like freedom. It felt historic. Then Guillermo Rauch — Vercel CEO — posted this at 3:37 a.m. PT:
“We’ve identified, responsibly disclosed, and confirmed 2 critical, 2 high, 2 medium, 1 low security vulnerabilities in Cloudflare’s vibe-coded framework Vinext.
We believe the security of the internet is the highest priority, especially in the age of AI. Vibe coding is a useful tool, especially when used responsibly.
Our security research and framework teams are extending their help and expertise to Cloudflare in the interest of the public internet’s security.”
He followed up saying they’re donating the bug-bounty payout to interesting AI and cybersecurity teams or open-source projects.https://artifacts.grokusercontent.com/third-party-image
youtube.comThe replies exploded.Vercel CTO Malte Ubl (@cramforce): just “👀”
@johncodes dropped the meme that perfectly captured the mood: “babe wake up the cloud CEOs beefing again”
@jrysana: “The moment I saw their announcement… my very first thought was ‘there’s no possible way this thing doesn’t have tons of vulnerabilities’… thank you for working to protect the security of the community even in these cases.
”The day before, Rauchg had already dropped Vercel’s official “Migrate from Cloudflare to Vercel” guide. When someone asked about going the other direction he replied: “Yes. Delete all the 𝚠𝚛𝚊𝚗𝚐𝚕𝚎𝚛.𝚓𝚜𝚘𝚗𝚌 config nonsense, all the proprietary cf 𝚒𝚖𝚙𝚘𝚛𝚝s, and run it on Vercel!
”In another thread he was more direct:
“Yeah tbh I really like that both companies are basically ‘team web’. But I also think they’re intellectually dishonest and push a lot of low-quality stuff. That’s why we exist.”On Durable Objects (Cloudflare’s killer primitive): “DO is a lock-in primitive on top of a lock-in runtime. We’ll come up with something better.
”https://artifacts.grokusercontent.com/third-party-image
reddit.com
So… what just happened?
Cloudflare proved 2026 AI can rebuild an entire framework surface in a week and ship something production-ready (real government sites are already running it).
Vercel proved that “vibe coding” at warp speed can still ship critical security holes — and they’re not shy about calling it out publicly, responsibly, and with receipts.
The nuance is brutal and beautiful at the same time.
Vercel isn’t saying AI can’t do this. They’re saying do it responsibly. Clear specs? Great. Comprehensive tests? Necessary. But shipping a “vibe-coded” drop-in replacement for one of the most security-sensitive parts of the modern web without the same battle-testing that Next.js has endured for years? That’s playing with fire.
Cloudflare’s move still stands as the most exciting proof yet that the cost of software implementation has collapsed. Evan You was right — we’re going to see more of these leaner, faster re-implementations.
But Rauchg’s posts added the missing adult-in-the-room voice: speed without security is just technical debt with extra steps.
The community is split — and loving every second of it.
Some are already migrating test apps to vinext.
Others are pausing, waiting for Cloudflare’s patches and the full security disclosure.
A lot of us are just refreshing the timeline like it’s reality TV with better benchmarks.Your moveIf you’re on Next.js today, the vinext migration is still stupidly easy:
npm install vinextswap the script name
vinext dev / vinext build / vinext deploy.But maybe run it behind a feature flag first. And maybe thank both teams — one for the audacious speed, the other for the public security pressure.
This isn’t just another framework drama.
This is the first major public collision between “move fast and vibe-code everything” and “the internet’s security is non-negotiable in the AI era.
”Who do you think is right?
Is vinext the glorious liberation we’ve been waiting for… or a cautionary tale about what happens when we ship AI-generated frameworks before the security team wakes up?
Drop your hottest, most honest take below. Especially if you’ve already tried vinext or spotted something sketchy in the code.
The framework wars just got way more interesting — and a lot more important.
