The Wire · Showcase
VERCEL AI HARDENS TOOL APPROVAL AGAINST CLIENT FORGERY, FIXES CRITICAL WORKFLOW VALIDATION DRIFT
By RepoJournal · Filed · About Vercel
A client-side attack on tool approval replay is now closed across both generateText and WorkflowAgent after the workflow package's validation logic drifted from the hardened core path.
The tool-approval replay mechanism in vercel/ai was reconstructing approved tool calls directly from client-supplied messages without re-validating schema, re-applying policy, or verifying the server actually issued the approval [1]. A malicious client could forge an assistant message with a pre-approved tool call and have the server execute it [2]. That fix landed in generateText and streamText, but WorkflowAgent.stream duplicated the collection logic independently and drifted, leaving the same vulnerability open [3]. Both paths now share the hardened validation, closing VULN-11497 end-to-end. Meanwhile, the harness agent API was leaking versioned HarnessV1* spec types into its public surface, coupling consumers to internal adapter details [4]. The type layer is now separated: consumers depend on stable HarnessAgent* names while the internal V1 spec stays decoupled [5]. On the infrastructure side, Vercel's connect package is cascading token cache evictions reactively when credentials go bad [6]. When a bearer is rejected by a resource server or an MCP server, it's dropped from cache without forcing a new consent flow, letting the next getToken refresh it automatically [7]. Go standalone functions' IPC proxy is being refactored into internals so Rust and other compiled languages can reuse the same transport layer, eventually deprecating the separate Vercel Rust crate [8]. React Router v7 SPA routing is fixed: subroute refreshes now serve index.html instead of targeting missing index output [9]. Python WSGI request bodies sent with Transfer-Encoding: chunked are no longer silently dropped [10].
Action items
- → Review tool approval flows in your AI agents if using generateText, streamText, or WorkflowAgent with client-supplied messages vercel/ai [immediate]
- → If you're consuming HarnessAgent types, confirm your imports use the new stable names instead of HarnessV1* specs vercel/ai [plan]
- → Deploy Turborepo security hardening for git argument injection and self-hosted login URL phishing [ref:22] [ref:23] vercel/turborepo [immediate]
- → Audit Turborepo query server deployments for Host header validation and CORS tightening [ref:25] vercel/turborepo [plan]
References
- [1] fix(security): harden tool approval replay path against client-forged approvals (#15947) vercel/ai
- [2] fix(security): harden tool approval replay path against client-forged approvals ↗ vercel/ai
- [3] fix(workflow): reuse core tool-approval validation in WorkflowAgent (#15987) vercel/ai
- [4] chore(harness): separate harness spec types (v1) from consumer-facing types (#15985) vercel/ai
- [5] chore(harness): separate harness spec types (v1) from consumer-facing types ↗ vercel/ai
- [6] [@vercel/connect] cascade token cache eviction via deleteTokenCacheEntry + connect() evict() (#16580) vercel/vercel
- [7] [@vercel/connect] add opt-in revoke to connect() evict() (#16597) vercel/vercel
- [8] [go] Refactor golang IPC proxy into internals so it can be reused. (#16556) vercel/vercel
- [9] [remix] Fix React Router SPA catch-all (#16595) vercel/vercel
- [10] [python] Decode chunked WSGI request bodies in python runtime. (#16594) vercel/vercel
- [11] fix: Prevent git argument injection in SCM refs (#13055) vercel/turborepo
- [12] fix: Block self-hosted login URLs from attempting to use Vercel's SSO (#13061) vercel/turborepo
- [13] fix: Harden query server file access (#13053) vercel/turborepo
FAQ
- What changed in Vercel on June 11, 2026?
- A client-side attack on tool approval replay is now closed across both generateText and WorkflowAgent after the workflow package's validation logic drifted from the hardened core path.
- What should Vercel teams do about it?
- Review tool approval flows in your AI agents if using generateText, streamText, or WorkflowAgent with client-supplied messages • If you're consuming HarnessAgent types, confirm your imports use the new stable names instead of HarnessV1* specs • Deploy Turborepo security hardening for git argument injection and self-hosted login URL phishing [ref:22] [ref:23]
- Which Vercel repositories shipped on June 11, 2026?
- vercel/ai, vercel/vercel, vercel/turborepo