AI vibe-coded Next.js app pinned vulnerable dependency — cryptominer compromised production server
Description
A developer used an AI coding agent to build a Next.js web service via 'vibe coding' (building from functional descriptions). The agent pinned a dependency version that contained CVE-2025-29927, a Next.js middleware bypass vulnerability. The code passed all functional tests. The vulnerable version was deployed to production and subsequently exploited: an attacker used the CVE to deploy a cryptominer that ran the server at ~100% CPU continuously. The author notes the AI had no cost model for what dependency version selection means at runtime.
Instruction Given
Build a Next.js web service from functional descriptions
Expected Behavior
A secure, deployable web service using appropriate dependency versions
Actual Behavior
AI pinned next@14.1.0 (or equivalent vulnerable version) with CVE-2025-29927, which was deployed and exploited to run a cryptominer in production
Impact / Damage
Production server compromised, cryptominer ran at 100% CPU until discovered. Remediated after incident.