Undocumented 'X-Vercel-Set-Bypass-Cookie' Header Spotted in the Wild, Raising Security Concerns
Attackers are probing Vercel deployments with a custom, undocumented HTTP header that may trick servers into setting a bypass cookie, potentially relaxing security controls.
Security researchers at the SANS Internet Storm Center have detected a novel probing campaign targeting websites hosted on Vercel, a popular front-end deployment platform. Over the weekend, honeypots captured HTTP requests containing a custom header labeled `X-Vercel-Set-Bypass-Cookie`. This header is not part of Vercel's documented `x-vercel-protection-bypass` feature, which uses a user-configurable secret to disable deployment protections during testing or CI/CD operations.
The observed requests include a header value of `samesite-none-secure`, a variant not listed in Vercel's official documentation. The documented options are `True` (enables the cookie) and `samesite=none` (enables the cookie with SameSite=None). The undocumented `samesite-none-secure` value suggests attackers are experimenting with parameters that could force the server to set a cookie with relaxed security attributes, potentially exposing secrets or bypassing access controls.
According to the SANS diary, the requests originated through open proxies, likely to obscure the attacker's identity. The use of open proxies indicates a broad, automated scanning campaign rather than a targeted attack. The attackers appear to be probing for misconfigured Vercel deployments that might honor the undocumented header, potentially allowing them to bypass deployment protection mechanisms.
Vercel's protection bypass feature is designed to allow developers to temporarily disable security controls for legitimate testing purposes. However, if an undocumented header can trigger the same behavior without proper authentication, it could be abused by malicious actors to gain unauthorized access to protected deployments, steal sensitive data, or inject malicious content.
The SANS researcher noted that they have not yet tested the request against an actual Vercel website, leaving the exact impact unconfirmed. However, the discovery highlights the risks associated with undocumented or poorly documented features in cloud platforms. Attackers often probe for such features to find novel attack vectors.
This incident underscores the importance of rigorous documentation and security review of all platform features, especially those that can alter security controls. Vercel users are advised to review their deployment protection settings and ensure that only documented, authenticated bypass methods are enabled. The SANS Internet Storm Center continues to monitor for related activity and encourages reporting of any similar observations.
As cloud platforms increasingly offer bypass mechanisms for development convenience, the security community must remain vigilant against undocumented variants that could be weaponized. This discovery serves as a reminder that even features intended for legitimate use can become attack surfaces if not properly constrained and documented.