Next.js Security Scanner
Next.js is the most deployed framework in the vibe coding ecosystem. Every tool from Cursor to v0 to Bolt generates Next.js code. That makes Next.js-specific vulnerabilities the most widespread attack surface in AI-built apps.
CVE-2025-29927 allows attackers to bypass your entire middleware auth by adding a single header: x-middleware-subrequest. If your Next.js version is unpatched, every protected route is wide open. VibeArmor tests for this specific CVE along with other Next.js patterns: leaked NEXT_PUBLIC_ vars in client bundles, API routes that skip auth, and source maps left enabled in production builds.
Paste your deployed URL and VibeArmor will probe your app the same way an attacker would. No code access needed, no CLI install, no GitHub integration.
What VibeArmor detects in Next.js apps
- Middleware auth bypass via CVE-2025-29927 (x-middleware-subrequest header)
- NEXT_PUBLIC_ environment variables exposing backend secrets
- Unprotected API routes accessible without authentication
- Server Actions callable without authorization checks
- Source map files leaking application code in production
No signup • Results in 3 minutes
How VibeArmor helps
Critical exploits
Exposed secrets, auth bypass, injection, and cross-user data access. These get apps hacked.
Active defenses
HTTPS, CSP, rate limiting, and cookie security. Real protections that stop real attacks.
Best practices
Informational items that do not affect your grade. Good to know, not urgent to fix.