Secrets behind NEXT_PUBLIC_
A key named NEXT_PUBLIC_API_SECRET is in the browser bundle for everyone to read. We scan for exposed keys and tokens in the deployed JavaScript.
// v0 security
v0 turns prompts into polished Next.js apps on Vercel. Polished doesn't mean locked down — the gaps are usually exposed env vars and API routes that never check who's calling.
Scan your v0 app now — free, ~60 seconds, no signup.
v0 (by Vercel) generates Next.js front-ends and deploys them to Vercel. The code looks production-grade, which is exactly why people ship it as-is — including the parts that were never meant for real users.
Two patterns dominate: anything prefixed NEXT_PUBLIC_ is bundled into the browser (so a secret named that way is exposed), and generated API routes often perform actions without re-verifying the user's session or permissions.
NEXT_PUBLIC_
any env var with this prefix is shipped to the browser
Next.js documented behaviour
89%
of AI-built apps ship with at least one vulnerability
Industry analysis cited by vibeappscanner
CVE-2025-29927
a Next.js middleware auth-bypass worth checking your version against
Next.js advisory
A key named NEXT_PUBLIC_API_SECRET is in the browser bundle for everyone to read. We scan for exposed keys and tokens in the deployed JavaScript.
Generated route handlers often do the work without checking the session. Anyone who finds the endpoint can trigger it. We probe for unauthenticated, state-changing routes.
Some Next.js versions allow auth middleware to be bypassed with a crafted header. We check the framework version against known CVEs.
Shipping source maps hands attackers your original, commented source code. We detect them.
v0 generates clean Next.js code, but it doesn't harden it for you. The usual issues are NEXT_PUBLIC_ secrets exposed in the browser and API routes that skip auth. A scan finds both.
Next.js only ships env vars prefixed with NEXT_PUBLIC_ to the client — but it ships all of them. If you put a secret behind that prefix, it's public. Move it to a server-only variable.
Run bleek's free scan on your Vercel URL. We'll flag exposed keys, unprotected routes, dependency CVEs, and missing headers.
Free scan, real findings, a copy-paste fix for each one. No signup.