Store Studio Campus Bootcamp

Services

AI Audit & Mapping Training Governance AI Integration For law firms For legal departments All services

Campus

Bootcamp Legal prompts Vibe Coding guides Webinars & Events Discover the Campus

Resources

Legaltech & AI Glossary Legaltech guide Legaltech Directory Blog Studies & Analysis

Zevra

The team Manifesto Contact

Change language

FrançaisEnglishEspañol
I have a tech project!
Formation

Vibe coding flaws: Next.js vulnerabilities and security

Pierre Colliot Pierre Colliot
Vibe coding flaws: Next.js vulnerabilities and security

The vulnerabilities of vibe coding: an analysis of security risks in Next.js

Vibe coding, the practice of generating code quickly through AI assistants, is reshaping the way applications are built. Yet this approach comes with significant limitations, particularly when it comes to application security. The Next.js ecosystem, a React framework widely adopted for web application development, is a textbook example of the issues raised by AI-generated code.

⚠️ Watch out: Vibe coding generates code fast, but without understanding the business context or the security requirements specific to your project.

The structural weaknesses of vibe coding

The lack of business context in AI-generated code

Automatic code generation tools produce generic solutions without grasping the specifics of a project. This limitation shows up as several problems in development practices:

  • Disregard for sector-specific regulatory constraints (GDPR, financial directives)
  • Ignorance of the existing architecture and its particularities
  • Reproduction of standard patterns ill-suited to specific needs
  • No analysis of sensitive data flows or protection of sensitive data

The reproduction of known security vulnerabilities

AI models train on corpora of existing code, including outdated or flawed examples. This means they propagate documented security flaws and build up heavy technical debt:

  • SQL injections in non-parameterized queries
  • Insufficient validation of user input
  • Faulty handling of sessions and authentication tokens
  • Hardcoded secrets and the accidental exposure of API keys

These security vulnerabilities create a risk of contaminating the AI models themselves, which then reproduce the same mistakes in the code they generate for other projects.

Security vulnerabilities specific to Next.js produced by vibe coding

Server-side rendering misconfigurations

Next.js offers several rendering modes (SSR, SSG, ISR). Automatically generated code often misconfigures these options, opening up exploitable flaws. These misconfigurations include:

  • Exposure of sensitive data through getServerSideProps with no authentication or authorization checks
  • Transmission of confidential information in client-side props
  • Poorly configured caching that exposes personalized content
  • Environment variable leaks to the browser through hardcoded secrets

Insecure API routes in application development

Next.js API routes are a sensitive entry point. Vibe coding frequently generates vulnerable endpoints that undermine security governance:

  1. No verification of the allowed HTTP methods
  2. Missing validation of request parameters, leaving room for SQL injections
  3. Inadequate error handling that reveals the internal structure
  4. Insufficient protection against brute-force attacks
  5. Permissively configured CORS, creating misconfigurations

Faulty handling of authentication and authorization

Automatically generated authentication and authorization implementations regularly show gaps that compromise the protection of sensitive data:

  • Storage of JWT tokens in localStorage without protection
  • No rotation of refresh tokens
  • Client-side-only validation, which can be bypassed
  • Sessions with no proper expiration
  • Failure to apply least-privilege access

Liability in the event of a data breach

For law firms using applications built through vibe coding, the consequences of a security flaw go well beyond the technical sphere. Regulation imposes strict obligations:

  • Mandatory notification to the supervisory authority (in France, the CNIL) within 72 hours in the event of a breach
  • Informing the clients affected by the data compromise
  • Administrative penalties of up to 4% of annual revenue
  • Civil liability for harm caused to clients

📌 Key takeaway: GDPR penalties can reach 4% of annual revenue when a security flaw compromises personal data.

Professional secrecy and confidentiality

Lawyer-client privilege, protected in France by Article 66-5 of the Act of 31 December 1971, calls for particular vigilance. An application that contains security vulnerabilities undermines this ethical obligation and exposes the professional to disciplinary sanctions from the bar.

An application that contains security vulnerabilities undermines the ethical obligation of professional secrecy and exposes the professional to disciplinary sanctions from the bar.

A methodology for securing AI-generated code

Systematic auditing and vulnerability testing

Every automatically generated fragment requires a thorough human review. This check must cover vulnerability testing and incorporate automated code review:

  1. Static analysis with tools such as SonarQube or ESLint
  2. Manual review of sensitive points (authentication and authorization, personal data)
  3. Penetration testing targeted at exposed features
  4. Validation of compliance with security frameworks (OWASP Top 10)
  5. Assessment of the accumulated technical debt

Putting technical safeguards in place and a DevSecOps approach

Building in protective mechanisms partly offsets the limitations of vibe coding. A DevSecOps approach makes it possible to embed security from the earliest phases of application development:

  • Input validation middleware on every API route to prevent SQL injections
  • A restrictive Content Security Policy (CSP)
  • Rate limiting on sensitive endpoints
  • Detailed logging of access and intrusion attempts
  • Encryption of sensitive data at rest and in transit
  • Securing the software supply chain

Training technical teams and development practices

Developers using automatic code generation tools must keep their application security skills sharp. Training technical teams makes it possible to quickly spot the dangerous patterns produced by AI and to reduce the maintenance burden tied to generated code.

Development practices have to evolve to include a systematic review of AI-generated code, with particular attention to misconfigurations and hardcoded secrets.

Recommendations for independent professionals

Contractual clauses with service providers

When commissioning application development, legal professionals should include specific clauses regarding the use of vibe coding:

  • A ban on, or strict framing of, the use of automatically generated code
  • An obligation to have a security audit performed by an independent third party, including vulnerability testing
  • A guarantee of compliance with recognized security standards
  • Contractual liability in the event of an exploited flaw
  • A commitment to limiting technical debt

Documentation and traceability

Keeping detailed technical documentation makes it easier to identify security vulnerabilities later on. This documentation must specify the origin of the code (written manually or generated by AI) and the validations carried out, particularly with regard to authentication and authorization.

Security incident response plan

Every organization using web applications must have a formal security incident management procedure, including:

  1. Identifying and containing the flaw
  2. Assessing the extent of the compromise
  3. Notifying the competent authorities
  4. Communicating transparently with the affected parties
  5. Applying the technical fix and deploying the patch

About the author

Pierre Colliot
Pierre Colliot

Fondateur Zevra, hôte du podcast Quasar, expert Legal Tech & vibe coding. +50 projets livrés.
Back to the blog