RepoJournal
Vercel

@vercel

Next.js + the Vercel platform — frontend infrastructure for the web

Pick a date

The Wire · Showcase

VERCEL AI HARDENS TOOL APPROVAL AGAINST CLIENT FORGERY, FIXES CRITICAL WORKFLOW VALIDATION DRIFT

By RepoJournal · Filed · About Vercel

A client-side attack on tool approval replay is now closed across both generateText and WorkflowAgent after the workflow package's validation logic drifted from the hardened core path.

The tool-approval replay mechanism in vercel/ai was reconstructing approved tool calls directly from client-supplied messages without re-validating schema, re-applying policy, or verifying the server actually issued the approval [1]. A malicious client could forge an assistant message with a pre-approved tool call and have the server execute it [2]. That fix landed in generateText and streamText, but WorkflowAgent.stream duplicated the collection logic independently and drifted, leaving the same vulnerability open [3]. Both paths now share the hardened validation, closing VULN-11497 end-to-end. Meanwhile, the harness agent API was leaking versioned HarnessV1* spec types into its public surface, coupling consumers to internal adapter details [4]. The type layer is now separated: consumers depend on stable HarnessAgent* names while the internal V1 spec stays decoupled [5]. On the infrastructure side, Vercel's connect package is cascading token cache evictions reactively when credentials go bad [6]. When a bearer is rejected by a resource server or an MCP server, it's dropped from cache without forcing a new consent flow, letting the next getToken refresh it automatically [7]. Go standalone functions' IPC proxy is being refactored into internals so Rust and other compiled languages can reuse the same transport layer, eventually deprecating the separate Vercel Rust crate [8]. React Router v7 SPA routing is fixed: subroute refreshes now serve index.html instead of targeting missing index output [9]. Python WSGI request bodies sent with Transfer-Encoding: chunked are no longer silently dropped [10].

Action items

References

  1. [1] fix(security): harden tool approval replay path against client-forged approvals (#15947) vercel/ai
  2. [2] fix(security): harden tool approval replay path against client-forged approvals ↗ vercel/ai
  3. [3] fix(workflow): reuse core tool-approval validation in WorkflowAgent (#15987) vercel/ai
  4. [4] chore(harness): separate harness spec types (v1) from consumer-facing types (#15985) vercel/ai
  5. [5] chore(harness): separate harness spec types (v1) from consumer-facing types ↗ vercel/ai
  6. [6] [@vercel/connect] cascade token cache eviction via deleteTokenCacheEntry + connect() evict() (#16580) vercel/vercel
  7. [7] [@vercel/connect] add opt-in revoke to connect() evict() (#16597) vercel/vercel
  8. [8] [go] Refactor golang IPC proxy into internals so it can be reused. (#16556) vercel/vercel
  9. [9] [remix] Fix React Router SPA catch-all (#16595) vercel/vercel
  10. [10] [python] Decode chunked WSGI request bodies in python runtime. (#16594) vercel/vercel
  11. [11] fix: Prevent git argument injection in SCM refs (#13055) vercel/turborepo
  12. [12] fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061) vercel/turborepo
  13. [13] fix: Harden query server file access (#13053) vercel/turborepo

FAQ

What changed in Vercel on June 11, 2026?
A client-side attack on tool approval replay is now closed across both generateText and WorkflowAgent after the workflow package's validation logic drifted from the hardened core path.
What should Vercel teams do about it?
Review tool approval flows in your AI agents if using generateText, streamText, or WorkflowAgent with client-supplied messages • If you're consuming HarnessAgent types, confirm your imports use the new stable names instead of HarnessV1* specs • Deploy Turborepo security hardening for git argument injection and self-hosted login URL phishing [ref:22] [ref:23]
Which Vercel repositories shipped on June 11, 2026?
vercel/ai, vercel/vercel, vercel/turborepo

Related across the cluster

For your repos

The showcase is a teaser.
Your wire is the product.

Same engine. Different stack. Below: what changes when the wire is yours.

Showcase wire

  • 14 famous open source orgs
  • One wire per day
  • Public, generic
  • Read on the web, when you remember

Your wire

  • Up to 1,500 of your repos - orgs, deps, vendors
  • Morning and evening briefs
  • Action items routed to your team
  • Slack delivery, email, breaking-news CVE alerts

Want a hands-on demo first? Ask a current user for an invite link.