Vercel vs. Replit vs. Cloudflare: the Next.js CVE that sparked a developer platform war
Mar 24, 2025
Key Points
- A critical Next.js vulnerability (CVE-2025-29927) in March triggered an unusual public war: Cloudflare released a migration tool from Vercel, and Replit CEO attacked Next.js despite using it internally.
- Vercel CEO Guillermo Rauch acknowledged communication failures but accused competitors of 'childish tactics,' signaling the developer platform market has shifted from cooperation to zero-sum competition.
- Vercel's $3.25 billion valuation and 1 million monthly Next.js users give it structural advantages, but security lapses corrode developer trust when competitors aggressively exploit them.
Summary
A critical vulnerability in Next.js (CVE-2025-29927) disclosed around March 22 allowed attackers to bypass middleware authorization checks in apps using middleware with next start and output standalone. Applications hosted on Vercel, Netlify, and Cloudflare were unaffected, but the incident exposed communication gaps between Vercel and industry partners.
Vercel CEO Guillermo Rauch acknowledged the missteps and committed to improving processes. His competitors moved faster. Cloudflare CEO Matthew Prince released a migration tool to move projects from Vercel to Cloudflare. Replit CEO Amjad Masad publicly highlighted their proactive scanning and patching while expressing a preference for frameworks beyond Next.js, an awkward criticism given that Replit itself uses Next.js for its own website. Rauch responded by accusing both competitors of using "childlike tactics and memes."
The escalation breaks industry convention. Until now, competitors typically stayed silent when rivals faced outages or security issues. Replit and Cloudflare abandoned that norm, signaling a market that has shifted from green-field expansion into zero-sum competition.
Market structure
The three platforms serve distinct customer tiers. Replit is where developers prototype and build in the browser with AI assistance. Vercel is where projects graduate for speed and performance, the platform that handled Mr. Beast's merchandise drop and drove hundreds of millions of hits. Cloudflare becomes the cheaper option at scale, though it requires more infrastructure sophistication. All three are competing for position as AI and "vibe coding" lower deployment barriers and reduce the value of traditional DevOps work.
Vercel's position
Founded in 2015 as Zeit and rebranded in 2020, Vercel has raised $461 million across five rounds and reached a $3.25 billion valuation in May 2024. The company has over $100M ARR and claims over 1 million monthly Next.js users. Its customers include Airbnb, GitHub, Uber, Nike, OpenAI, and Perplexity.
Vercel's competitive moat is Next.js, an open-source React framework launched in October 2016. The strategy is straightforward: make Next.js the default choice for React front-end development, then add velocity through immutable deployments, preview environments, and serverless scaling. Developers ship code without managing infrastructure.
Recently, Vercel has moved upstream. It partnered with AWS to embed AI features, acquired Tremor (a React component library for data dashboards) in January 2025, and announced plans to host Anthropic APIs and deploy LLMs at the edge. The pitch lets developers build a front-end with embedded AI without round-tripping through external API servers, eliminating latency penalties.
Vercel's culture centers on founder-led iteration and customer feedback. Paul Graham specifically endorsed this model, noting that a founder-CEO soliciting complaints demonstrates authentic stewardship in a way a hired executive would avoid.
Security lapses and messaging failures corrode developer trust. Vercel's misstep was genuine. The speed and cynicism with which competitors capitalized suggests the developer infrastructure market has crossed from cooperative to combative as the space matures and substitutes proliferate.