Observed Use of X‑Vercel‑Set‑Bypass‑Cookie Header in HTTP Requests Targeting Vercel Hosting Platform
What Happened — Over the weekend the SANS Internet Storm Center recorded a handful of HTTP requests to a honeypot that contained a custom header named X‑Vercel‑Set‑Bypass‑Cookie. The header appears to be an attempt to manipulate Vercel’s edge‑network cookie handling, potentially bypassing SameSite or other cookie‑based protections. No successful exploitation or data exfiltration has been confirmed.
Why It Matters for TPRM —
- Indicates an emerging reconnaissance technique aimed at Vercel‑hosted applications, which many SaaS vendors rely on.
- If successful, the bypass could allow attackers to hijack sessions or perform credential‑stuffing against downstream services.
- Highlights the need for continuous monitoring of third‑party cloud providers for novel request patterns.
Who Is Affected — Organizations that use Vercel as a cloud‑hosting or edge‑computing platform, spanning SaaS providers, e‑commerce sites, and any web‑application that relies on Vercel’s cookie management.
Recommended Actions —
- Review Vercel configuration: enforce strict
SameSite=LaxorStrictcookie attributes and enable HTTP‑Only flags. - Implement logging and alerting for any request containing the
X‑Vercel‑Set‑Bypass‑Cookieheader. - Conduct a short‑term risk assessment of applications hosted on Vercel to verify that session handling cannot be subverted.
- Engage Vercel support to confirm whether the header is a documented feature or an abuse vector and request any hardening guidance.
Technical Notes — The observed traffic is a novel HTTP header injection; no CVE has been assigned. The vector is currently unknown—likely a probing attempt rather than a fully‑developed exploit. Data at risk would be session cookies and any authentication tokens stored therein. Source: SANS Internet Storm Center