Vercel screwed up (breaking down the Next.js CVE)

by now you've probably heard about the Next.js security incident middleware can effectively be skipped entirely this is really really bad putting hundreds of thousands of Next apps at risk right there is a lot of subtlety here that we have to dig into there's a lot of things Verscell did absolutely wrong and I am excited to roast them indefinitely for it but there are other things here that are just fundamentally being misunderstood and for what it's worth I've never seen an app that would have been vulnerable to this despite the fact that I've audited literally hundreds of

Nex.js apps that doesn't mean this is okay but it does make the characteristics of the exploit so much more interesting so if you want a video that's just going to bash forcell endlessly for bothering to ship Nex.js that's focused on people who don't use it at all go watch something else but if you want an actual deep dive figuring out what went wrong why we're here what problems led to the outrage and the incident in the first place and how to prevent these things going forward this is the video to watch i'm very excited to break all of this down with you but as Verscell is no longer a sponsor of the channel someone has to cover the bill so we're going to hear a quick word

from today's sponsor and then go right back in today's sponsor is one of those products that I really wish I had used for more of my stuff because it would have made my life significantly easier and it solves a ton of problems I have every day that product is Convex and I could tell you all about how it solves the missing half of your React app but I'd rather just show you this is a real codebase using Convex with Nex.js and it's super easy to set up you might even notice the little Theo Brown in the corner here that's because it already has O set up too it's just one of the many things Convex provides for you nothing too impressive right well let's

look at what happens if I open up another window with the same project i'll send another message and watch it automatically appears in both even though these are entirely different browsers they could be different networks different devices different anything as long as they're querying the same data it gets automatically updated the code for this must be super complex right well here's the message list i use query API messages list and here I list

the messages where's the update well if we go to API messages list which you can commandclick we go into this convex folder in our codebase which has messages ts and here I have my list function has empty args we don't pass it anything and the handler an async function with context and I use that to get messages from the DB order by descending and I take the first 100 and now it just automatically live updates that's all you have to do there is no additional work to trigger the update simply by this query's data changing

convex is smart enough to post and push out an update to all clients that are affected by that change and the result honestly kind of feels like magic not having to do all the work to keep different devices in sync with different states if I had used this for T3 chat all of our sync engine problems would be gone and if this was something that didn't scale that'd be one thing but the guys who built Convex are industry experts in scalable data solutions this stuff will run as far as you'll ever possibly need it to go they built Dropbox they know what they're doing so if you're building a React app that needs stuff like you know server

functions database vector search cron jobs off file management type safety across the wire real-time updates any of these things I am very confident that convex is the best place to get started if it was just me saying it that's one thing but Tanner Lindsley has been telling me to take these guys more seriously and there's no one whose word I hold higher than my own than Tanner Lindsay so don't take my word for it take his and all the other people who are becoming obsessed with Convex these guys know what they're doing check them out today at soy.link/convex /convex so

I have put together a demo app here to showcase the exploit there's a couple pieces I want to emphasize we have two different routes that matter we have this admin route that has a layout and a page we have the unauthor route which just has a page that says you're not supposed to be wherever you're going and I have this sensitive.ext this text data that I want to make sure only gets to a user if they're allowed the middleware is a function that runs between when next starts to process your request and