Coding With AI? Catch the Security Gaps Before You Ship

On 2 February 2025, Andrej Karpathy posted a message on X describing what he called "vibe coding": give in to the AI, forget the code even exists, and accept whatever it outputs. The idea captured something real about how fast AI coding tools had become. Within months, no-code AI app builders extended the concept to people with no programming background at all, and a wave of founders, students, and side-project builders began shipping software they had never read line by line. The security assumption underneath all of it is that the AI knows what safe code looks like. A growing body of controlled research and a string of real incidents show it does not, not reliably, and not for the vulnerability classes that matter most when production systems handle real users and real data.

What vibe coding is

The term arrived on 2 February 2025 in a post by Andrej Karpathy on X, the former Tesla AI director and OpenAI co-founder. He described "a new kind of coding" in which a developer "fully gives in to the vibes, embraces exponentials, and forgets that the code even exists" because AI models "are getting too good." The post drew millions of views within days and gave a name to a practice that was already spreading rapidly.

In practical terms, vibe coding means building software by issuing natural-language prompts to an AI assistant, Cursor, GitHub Copilot, Claude Code, or a no-code AI builder like Lovable or Bolt, and accepting its output without a systematic, line-by-line security review. The developer steers by describing desired behaviour and iterates when something obviously fails. What does not obviously fail can ship.

The practice exists on a spectrum. An experienced engineer who uses AI to scaffold boilerplate and then reviews every suggestion sits at one end. A first-time builder who prompts a no-code platform to "create a booking app with payments" and publishes the result sits at the other. The security failure mode is not AI assistance itself. It is what happens when AI tools emit insecure patterns at measurable rates and the developer lacks the training to recognise those patterns when they surface in the output.

Why AI produces insecure code: the mechanism

A large language model generates the statistically most probable continuation of the text it has seen so far. Five structural properties of how these models are built and used combine to produce a persistent security gap.

1. Trained on a vulnerable corpus. Public code repositories, which form the bulk of training data, contain large amounts of historically insecure code. SQL injection vulnerabilities and cross-site scripting bugs that were fixed years after they were written are embedded in the training corpus alongside the fix. The model learns patterns from both, with no signal distinguishing "this is a vulnerability" from "this is how everyone wrote this function in 2012."
2. No threat model. A security engineer asks: who might abuse this function? What does the worst-case input look like? What happens when this authentication check fails? A large language model is generating text that resembles what a programmer would type next. It has no internal representation of attackers or attack surfaces, and it does not reason about adversarial use.
3. Confident wrong output. LLMs generate responses with the same fluent confidence whether they are correct or they are producing something plausible but dangerous. There is no internal signal that distinguishes "I know the secure pattern here" from "I am generating something functional that happens to skip input validation." The developer receives a well-formatted, working-looking result in both cases.
4. Missing auth and validation by default. When a prompt asks for a REST endpoint that retrieves user data, the model produces code that fetches and returns the data. Authentication middleware, rate limiting, and output sanitisation are separate concerns the prompt rarely specifies, and the model does not reliably infer their necessity.
5. Hardcoded secrets as the path of least resistance. AI models are good at producing working connection strings, API calls, and configuration snippets, all of which require credentials. The simplest working code puts the key in the file, exactly as it appears in countless training examples written before secrets hygiene became a standard concern. The model does not protest; it has seen this pattern too many times to treat it as unusual.

The evidence and scale

Three bodies of research, conducted independently across different years with different methodologies, converge on a consistent finding: AI coding tools introduce security vulnerabilities at high rates, and developers using them often fail to detect the problem.

The earliest controlled study came from researchers at New York University. Published at the 2022 IEEE Symposium on Security and Privacy under the title "Asleep at the Keyboard?", the team generated 1,689 programs across 89 scenarios targeting CWEs from the MITRE Top 25 list using GitHub Copilot. Roughly 40 percent of the generated programs contained vulnerabilities. That finding remains a widely cited baseline for the inherent risk in accepting AI-generated code without review.

A 2023 study by Stanford researchers Neil Perry, Megha Srivastava, Deepak Kumar, and Dan Boneh, published at ACM CCS, ran 47 participants through security-sensitive coding tasks with and without an AI assistant. Those with AI access wrote significantly less secure code than those working without it. The more instructive finding was the confidence gap: participants with AI access were more likely to believe their code was secure than those who had written it themselves without assistance. The AI imposed a false sense of completion. The task felt done, so the checking stopped.

The largest systematic test to date is the Veracode 2025 GenAI Code Security Report, published July 2025. Veracode evaluated output from more than 100 large language models across 80 structured coding tasks, covering SQL injection (CWE-89), cross-site scripting (CWE-79), log injection (CWE-117), and insecure cryptographic algorithms (CWE-327) in Java, JavaScript, C#, and Python. In 45 percent of tasks, the model introduced a known security flaw into the generated code. Java was the worst-performing language, with a 72 percent failure rate. XSS tasks failed 86 percent of the time; log injection tasks failed 88 percent. Model size showed no correlation with improved security: newer and larger models did not produce meaningfully safer code.

Common vulnerability classes in AI-generated code

These are the vulnerability patterns that appear most consistently in research and real-world security reviews of AI-generated codebases, alongside the mechanism by which AI tools specifically introduce them.

The secrets leakage problem

API keys, database credentials, tokens, and webhook URLs deserve separate attention. AI coding tools are specifically designed to produce working code, and working code that connects to external services requires credentials somewhere. The path of least resistance is to embed them in the source file. The model does not flag this; it has seen this pattern thousands of times in training data that predates modern secrets-hygiene practice.

GitGuardian's State of Secrets Sprawl 2025 found 23.8 million secrets exposed on public GitHub repositories across 2024, a 25 percent year-over-year increase, with 70 percent of secrets leaked in 2022 still unrevoked at publication time. The 2026 edition, covering 2025 data, reported 28.65 million hardcoded secrets, a 34 percent increase and the largest single-year jump on record. AI-service secrets (keys for large language model APIs, including over 113,000 leaked DeepSeek API keys) surged 81 percent year on year. Commits made with Claude Code leaked secrets at 3.2 percent, roughly twice the 1.5 percent baseline for non-AI-assisted code.

The compounding problem is persistence. A leaked key is not only a risk at the moment of exposure: it is a risk for as long as the downstream service keeps accepting it. Rotating credentials after a leak is a manual operational step that most developers working in a rapid vibe-coding loop do not take until they see evidence of misuse.

Real incidents

The no-code and app-builder angle

Vibe coding reaches its furthest extent when an AI app builder generates the entire application stack from a single prompt, including the frontend, backend, and database schema. These platforms are designed for speed and accessibility. A working application can appear in minutes without the builder ever seeing the underlying code, let alone auditing it for security properties.

This creates a structural security problem that goes beyond individual developer behaviour. When a non-technical founder prompts "build a SaaS app where users sign up and pay monthly," the resulting application may have authentication working in the sense that logins succeed, while lacking server-side authorisation on data endpoints, input validation, rate limiting, and properly configured database access controls. None of those failures surface in a quick functional test. They surface when someone probes the API directly, bypassing the interface the builder tested.

The Wiz findings give the scale of the problem: one in five organisations using these platforms was found to be running applications with at least one of the four systematic vulnerability classes identified. The most common was client-side authentication logic, where access decisions happen entirely in the browser where any user can override them. The second most common was exposed API keys in JavaScript files, the same pattern the GitGuardian data shows multiplying across public repositories.

Platform vendors have begun to respond. Following the attention generated by Moltbook and similar cases, several builders added security-checklist prompts, automatic Row Level Security enablement, and warnings when secrets appear in generated code. These are meaningful improvements. They do not, however, alter the underlying dynamic: the AI generates functional code first, and security properties remain an afterthought unless the platform or the developer specifically enforces them before anything goes live.

How to build safely with AI

AI assistance does not have to mean insecure software. The steps below address the specific mechanisms through which AI tools introduce vulnerabilities and can be applied at any level of technical experience.

1. Write a threat model before you prompt. Before asking the AI to build anything, write one paragraph describing the worst thing a malicious user could do with this application. Who are your users? What data are you storing? What happens if someone accesses another person's records? This framing changes the prompts you write and the outputs you are willing to accept.
2. Treat AI output as a draft, not a deliverable. Both the Stanford and Veracode studies show that AI code fails security checks at high rates even when it passes functional tests. Review every generated file for the vulnerability classes in the table above before deploying anything that handles real user data or connects to a production service.
3. Never let credentials live in source files. If the AI produces a database URL, API key, or service token inline in a source file, remove it before the file touches version control. Use environment variables, a platform-native secrets store, or a dedicated secrets manager. Check your commit history: secrets pushed to Git and then deleted remain in the history and are recoverable.
4. Run a static analysis scanner before deployment. Tools such as Semgrep, Snyk Code, and Bandit (for Python) scan source code for known vulnerability patterns without executing it. Many have free tiers and can run as a pre-commit hook or a one-step CLI check. They catch a substantial share of the SQL injection, XSS, and hardcoded-credential patterns that AI tools introduce, at essentially zero marginal effort once configured.
5. Enable database access controls from day one. On Supabase, enable Row Level Security on every table before writing any user data to it, then test by querying with a user credential that does not own the targeted record. On Firebase, set Firestore security rules to deny all access by default and open only the paths the application genuinely needs. Testing access controls costs five minutes; discovering you skipped them after a breach costs considerably more.
6. Keep development and production environments strictly separate. Do not vibe-code against a production database. Use a separate environment with synthetic data, and use a separate set of credentials. The Replit incident would have been a recoverable nuisance rather than a production outage if the AI agent had been working against a development environment that contained no live records.
7. Prompt for security explicitly, then verify independently. AI tools respond to what you ask. After generating a feature, follow up: "Review this code for missing authentication, broken authorisation, input validation gaps, and any hardcoded credentials. List every security concern you find." The AI will not catch everything, the studies document that, but an explicit security prompt narrows the gap, and it establishes a review habit that scales as the application grows.

What it means for the industry

The studies and incidents described here point to a structural tension in the current state of AI-assisted software development. The productivity gains are real: AI coding tools compress hours of boilerplate into minutes and make software development accessible to people who would otherwise be locked out entirely. That value will not be unwound.

What the data also shows is that the security model has not kept pace with the productivity gains. Training a model to generate syntactically correct, functionally working code is a different problem from training it to generate secure code. The Veracode findings are explicit on this point: across more than 100 models tested in 2025, there was no meaningful correlation between model size or recency and security performance. The models that are better at writing code are not, by that fact, better at writing secure code.

The industry response is taking two parallel forms. On the tool side, vendors are adding security scanning, guardrails, environment separation, and secrets detection as first-class features, raising the floor on how badly a vibe-coding session can go. On the regulatory side, frameworks are beginning to ask who bears responsibility when an AI-generated application causes a data breach. Provisions in the EU AI Act covering high-risk systems, and product-liability discussions in the US, will eventually place more of that responsibility on tool developers and platform operators, rather than entirely on the individual user who accepted output they were not equipped to assess.

For anyone building software with AI assistance today, the practical gap is this: the absence of an obvious runtime error is not evidence of security. The studies show vulnerabilities at rates that make a complete security review of AI-generated code the expected norm, not a premium precaution reserved for financial or healthcare applications. The tools will improve. The discipline of checking what the tools produce needs to improve at the same rate.

Frequently asked questions

Is vibe coding inherently insecure?

No. AI assistance is a tool, and tools can be used carefully. The security risk is specifically the combination of AI tools that emit insecure patterns at measurable rates and developers who accept output without review. Developers who treat AI output as a draft and apply security checks before deployment reduce the risk substantially. The studies show risk in the output, not in the act of using the tool.

Do larger or newer AI models produce safer code?

The Veracode 2025 data found no meaningful correlation between model size or recency and security performance across more than 100 models tested. A model that scores better on general coding benchmarks does not necessarily score better on security-sensitive coding tasks. This was one of the central findings of the report.

What is the most common vulnerability class in vibe-coded apps?

Based on the Wiz research and the Veracode study, the most consistently appearing class is missing or misconfigured access controls: authentication that works at the login screen but fails to authorise individual data requests, and database configurations that allow any caller to read any record. Hardcoded credentials are a close second and are often the most immediately exploitable because they require no special technique to find and use.

How do I check if an existing app already has these issues?

Run a static analysis tool such as Snyk Code or Semgrep against the source code. For secrets, run Gitleaks or TruffleHog against the full commit history, not just the current working tree. For database authorisation, attempt to query a record owned by one user while authenticated as a different user: if it succeeds, the authorisation layer is not working. For frontend-only security logic, open the browser developer tools and examine whether any authentication or access-control decisions are happening in JavaScript that a user could modify.

Who is legally responsible if an AI-generated app causes a breach?

Under current law in most jurisdictions, the operator of the application bears the compliance and liability obligation. The fact that an AI tool generated the code is not a recognised defence under data-protection law (GDPR, India's Digital Personal Data Protection Act, the California Consumer Privacy Act, or equivalent frameworks). Regulators assess the system that was deployed and the data that was exposed, not the development method used to build it. This is an active area of discussion under the EU AI Act's product-liability provisions, but no jurisdiction has yet shifted that baseline responsibility away from the deploying entity.

Sources

1. Andrej Karpathy, X (formerly Twitter), 2 February 2025. x.com/karpathy/status/1886192184808149383
2. Veracode, 2025 GenAI Code Security Report, July 2025. veracode.com/resources/analyst-reports/2025-genai-code-security-report/
3. Pearce et al., "Asleep at the Keyboard? Assessing the Security of GitHub Copilot's Code Contributions", IEEE Symposium on Security and Privacy, 2022; republished in Communications of the ACM. cacm.acm.org/research-highlights/asleep-at-the-keyboard
4. Perry, Srivastava, Kumar, Boneh, "Do Users Write More Insecure Code with AI Assistants?", ACM CCS 2023. arxiv.org/abs/2211.03622
5. GitGuardian, State of Secrets Sprawl 2025. blog.gitguardian.com/the-state-of-secrets-sprawl-2025/
6. GitGuardian, State of Secrets Sprawl 2026, March 2026. blog.gitguardian.com/the-state-of-secrets-sprawl-2026/
7. AI Incident Database, Incident 1152: "LLM-Driven Replit Agent Reportedly Executed Unauthorized Destructive Commands During Code Freeze". incidentdatabase.ai/cite/1152/
8. Tom's Hardware, "AI coding platform goes rogue during code freeze and deletes entire company database", July 2025. tomshardware.com, Replit CEO apology coverage
9. Wiz Research, "Hacking Moltbook: AI Social Network Reveals 1.5M API Keys", February 2026. wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys
10. Wiz Research, "Common Security Risks in Vibe-Coded Apps", 2025. wiz.io/blog/common-security-risks-in-vibe-coded-apps
11. Infosecurity Magazine, "Vibe-Coded Moltbook Exposes User Data, API Keys and More", 2026. infosecurity-magazine.com/news/moltbook-exposes-user-data-api/