AI vibe-coded Next.js app pinned vulnerable dependency — cryptominer compromised production server
Quick Answer
Unknown-agent caused a critical-severity (10/10) security vulnerability failure: AI vibe-coded Next.js app pinned vulnerable dependency — cryptominer compromised production server. The root cause was training data gap. Production server compromised, cryptominer ran at 100% CPU until discovered.
Description
A developer used an AI coding agent to build a Next.js web service via 'vibe coding' (building from functional descriptions). The agent pinned a dependency version that contained CVE-2025-29927, a Next.js middleware bypass vulnerability. The code passed all functional tests. The vulnerable version was deployed to production and subsequently exploited: an attacker used the CVE to deploy a cryptominer that ran the server at ~100% CPU continuously. The author notes the AI had no cost model for what dependency version selection means at runtime.
Instruction Given
Build a Next.js web service from functional descriptions
Expected Behavior
A secure, deployable web service using appropriate dependency versions
Actual Behavior
AI pinned next@14.1.0 (or equivalent vulnerable version) with CVE-2025-29927, which was deployed and exploited to run a cryptominer in production
Impact / Damage
Production server compromised, cryptominer ran at 100% CPU until discovered. Remediated after incident.
Frequently Asked Questions
What happened in incident STUPID-2026-0022? ▾
A developer used an AI coding agent to build a Next.js web service via 'vibe coding' (building from functional descriptions). The agent pinned a dependency version that contained CVE-2025-29927, a Next.js middleware bypass vulnerability. The code passed all functional tests. The vulnerable version was deployed to production and subsequently exploited: an attacker used the CVE to deploy a cryptominer that ran the server at ~100% CPU continuously. The author notes the AI had no cost model for what dependency version selection means at runtime.
Which AI agent caused this failure? ▾
Unknown-agent was responsible for this security vulnerability incident, documented as STUPID-2026-0022 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 10/10 (critical) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as training data gap. A secure, deployable web service using appropriate dependency versions
What was the impact or damage? ▾
Production server compromised, cryptominer ran at 100% CPU until discovered. Remediated after incident.
Related unknown-agent Incidents
An AI agent spun up duplicate CloudFormation stacks on every error and ran up a $6,531 AWS bill
Vibe-coded Moltbook exposed 1.5M API keys and 35,000 user emails via misconfigured database
Vibe-coded Tea app leaked 72,000 IDs and selfies plus 1.1M private messages from an unsecured bucket