v0 by Vercel is a legitimate tool that generates high-quality Next.js code. The security risk is in the output: generated apps can leak secrets through NEXT_PUBLIC_ environment variables and expose route handlers or server actions that don't check authentication. v0 is safe once you review these specific Next.js patterns and scan the deployed app.

Does NEXT_PUBLIC_ expose my secrets?

Yes. Any environment variable prefixed with NEXT_PUBLIC_ is inlined into the client bundle and visible to anyone. Only non-sensitive values (public URLs, publishable keys) should use that prefix. Secret keys must be read server-side without the NEXT_PUBLIC_ prefix, in route handlers or server actions.

Is v0 Safe? v0 (Vercel) Security Risks Explained (2026)

v0 by Vercel produces some of the cleanest output of any vibe coding tool — idiomatic Next.js, nice components, sensible structure. But Next.js has a couple of specific security foot-guns, and "clean code" can still ship them.

So is v0 safe? The tool is excellent. The risks are Next.js-specific patterns you need to verify in the generated app.

Risk 1: NEXT_PUBLIC_ secret leaks

In Next.js, any environment variable prefixed with NEXT_PUBLIC_ is inlined into the browser bundle. It's the single most common way a Next.js app leaks a secret — a key gets that prefix "so the component can use it," and now it's public.

    // RED FLAG: this ships the secret to the browser
const key = process.env.NEXT_PUBLIC_STRIPE_SECRET

// Correct: read secrets server-side, no NEXT_PUBLIC_ prefix
// (in a route handler or server action)
const key = process.env.STRIPE_SECRET

Only public values (a site URL, a publishable key) belong behind NEXT_PUBLIC_. Rotate any secret that ever carried that prefix.

Risk 2: Route handlers and server actions with no auth

v0 will scaffold app/api/.../route.ts handlers and server actions that work — but "work" doesn't include an auth check. A generated route that returns data needs to verify the session and scope the query to the user, exactly as in the API security checklist.

    // RED FLAG: route handler with no auth
export async function GET() {
  return Response.json(await db.user.findMany())  // everyone's data
}

Risk 3: Server-only logic leaking to the client

Mixing server and client components is easy to get subtly wrong. Make sure data fetching with secrets stays in server components or server actions, and that "use client" files never import code that reads secrets.

The v0 security checklist

No real secret behind NEXT_PUBLIC_; secrets read server-side only; exposed keys rotated.
Every route handler and server action checks auth and scopes data to the user.
If you use a database, access is per-user (and RLS is on for Supabase — see the RLS guide).
Security headers configured (CSP, HSTS) in next.config or middleware.

Verify the deployed app

The fastest way to know a v0 app is safe is to test what's live. Nurbak scans your deployed Next.js app for exposed secrets, route handlers with no auth, and missing headers, and returns a prioritized report. Paste your URL and get the result in seconds.

Is v0 Safe? Security Risks of v0-Generated Next.js Apps

Risk 1: NEXT_PUBLIC_ secret leaks

Risk 2: Route handlers and server actions with no auth

Risk 3: Server-only logic leaking to the client

The v0 security checklist

Verify the deployed app

Related articles

Fabian Delgado

Ready to try it?

Risk 1: NEXT_PUBLIC_ secret leaks

Risk 2: Route handlers and server actions with no auth

Risk 3: Server-only logic leaking to the client

The v0 security checklist

Verify the deployed app

Related articles

Fabian Delgado

Ready to try it?

Read Next

SSRF (Server-Side Request Forgery): What It Is and How to Prevent It

Open Redirect Vulnerability: What It Is and How to Fix It

IDOR Vulnerability: What It Is and How to Prevent It