Resrianchopublished

**Name of the Vulnerable Software and Affected Versions** Vercel CLI versions 50.16.0 through 52.0.0 **Description** When running in non-interactive mode (via the `--non-interactive` flag or auto-detected AI agent), commands that cannot complete autonomously emit JSON payloads containing suggested follow-up commands. If authentication was performed using the `--token` or `-t` command-line arguments, the token value is included in plaintext within these suggestions. This can lead to the token being captured in CI/CD logs, agent transcripts, or other automation output. This issue occurs only when the token is passed as a CLI argument; the `VERCEL TOKEN` environment variable is not affected. **Recommendations** Update to version 52.0.1. Rotate tokens if `--token` was previously used with `--non-interactive` and logs were exposed. Use the `VERCEL TOKEN` environment variable for authentication instead of command-line arguments.