Nearly half of all code generated by AI found to contain security flaws – even big LLMs affected
- Report finds 45% of AI-generated code had security flaws
- Java is the worst offender, Python, C# and JavaScript also affected
- Rise in vibe coding could make these threats even worse
Nearly half (45%) of AI-generated code contains security flaws despite appearing production-ready, new research from Veracode has found.
Its study of more than 100 large language models across 80 different coding tasks revealed no improvement in security across newer or larger models – an alarming reality for companies that rely on AI tools to back up, or even replace, human productivity.
Java was found to be the worst affected, with 70%+ failure rate, but Python, C# and JavaScript also had failure rates of 38-45%.
AI-generated code isn’t so secure after all
The news comes as more and more developers rely on generative AI to help them get code written – as much as a third of new Google and Microsoft code could now be AI-generated.
“The rise of vibe coding, where developers rely on AI to generate code, typically without explicitly defining security requirements, represents a fundamental shift in how software is built,” Veracode CTO Jens Wessling explained.
Veracode found LLMs often chose insecure methods of coding 45% of the time, failing to defend against cross-site scripting (86%) and log injection (88%).
“Our research shows models are getting better at coding accurately but are not improving at security,” Wessling added.
Vulnerabilities are also amplified in the modern era of AI – artificial intelligence enables attackers to exploit them faster and at scale.
Veracode suggests developers enable security checks in AI-driven workflows to enforce compliance and security. Companies should also adopt AI remediation guidance to train developers, deploy firewalls and use tools that help help detect flaws earlier.
“AI coding assistants and agentic workflows represent the future of software development… Security cannot be an afterthought if we want to prevent the accumulation of massive security debt,” Wessling concluded.
You might also like
Report finds 45% of AI-generated code had security flaws Java is the worst offender, Python, C# and JavaScript also affected Rise in vibe coding could make these threats even worse Nearly half (45%) of AI-generated code contains security flaws despite appearing production-ready, new research from Veracode has found. Its study…
