BIPI
BIPI

Vibe Coding's Security Problem: What AI-Generated Code Is Actually Getting Wrong in 2025

AI Security

Vibe coding — shipping software written largely or entirely by AI coding assistants without deep review — is now a mainstream practice. It is also producing a predictable set of security vulnerabilities at scale. Here is the pattern catalogue and what engineering teams should do about it.

By Arjun Raghavan, Security & Systems Lead, BIPI · July 11, 2025 · 10 min read

#vibe-coding#ai-code-generation#secure-coding#llm-security#sast#code-review

The term 'vibe coding' entered the engineering lexicon in early 2025 when Andrej Karpathy used it to describe the emerging practice of writing software by describing what you want to an AI and accepting what it gives you without deep scrutiny. Karpathy framed it as a productivity unlock. Security teams have spent the months since then documenting the vulnerabilities it produces. Both framings are accurate.

Why AI-Generated Code Has Predictable Vulnerability Patterns

Large language models generate code by learning statistical patterns from training data. That training data contains a lot of insecure code — Stack Overflow answers that work but are not hardened, tutorial repositories that prioritise clarity over security, legacy codebases that predate modern security practices. The model learns these patterns alongside the correct ones. When generating new code, it reproduces the statistical average, which includes the insecure average.

The Vulnerability Pattern Catalogue

  • SQL injection via f-string interpolation: AI models consistently generate direct string interpolation into SQL queries when not explicitly prompted for parameterised queries
  • Hardcoded credentials: API keys, database passwords, and JWT secrets hardcoded in generated configuration files and environment setup code
  • Overly permissive CORS: AI-generated backend starters frequently allow all origins by default with no prompt to restrict this before production
  • Missing authentication on generated API routes: when asked to 'add an endpoint to delete a user', models often skip auth middleware unless explicitly asked
  • Insecure direct object references: generated CRUD code frequently uses user-supplied IDs without ownership verification
  • Verbose error messages: AI-generated error handlers return stack traces and internal paths by default, optimising for debuggability over security
  • Outdated dependencies: models trained before a cutoff date generate install commands for dependency versions with known CVEs
  • Missing rate limiting: generated APIs rarely include rate limiting or request throttling without explicit prompting

The Scale Problem

Individual AI-generated vulnerabilities are not new — human developers make the same mistakes. The difference is velocity and homogeneity. Vibe coding produces code at ten to one hundred times the speed of human coding, and AI models produce statistically similar code across different users and organisations. This means that when a vulnerability pattern is present in AI-generated code, it is present at scale and in near-identical form across many codebases simultaneously. That homogeneity is a gift to attackers doing automated scanning.

What to Do About It

  1. Add SAST to your CI pipeline if you have not already — AI code makes this more important, not less
  2. Configure your AI coding assistant with a security-focused system prompt that explicitly requests parameterised queries, no hardcoded secrets, and auth on all routes
  3. Run secret scanning on every commit, not just on files that look like config — AI models embed secrets in unexpected locations
  4. Implement DAST against staging environments before production deployment — AI-generated APIs frequently have auth and IDOR issues invisible to SAST
  5. Educate developers that accepting AI-generated code is the same as writing that code — the security responsibility does not transfer to the model
  6. Establish a vibe-coding-specific review checklist covering the top ten AI vulnerability patterns for your stack
40%
of AI-generated code samples in 2025 research contained at least one OWASP Top 10 vulnerability
14×
higher rate of default hardcoded secrets in AI-generated repos vs. human-authored repos on GitHub
faster time-to-exploit for homogeneous AI-generated vulnerabilities due to automated scanner effectiveness

The Right Frame

Vibe coding is not going away. The productivity gains are real and the tooling is improving rapidly. The answer is not to avoid AI-generated code but to treat it with the same systematic scepticism that good engineering applies to any untrusted input — review it, scan it, test it, and never assume that because it looks correct it is secure. The AI is optimising for making your tests pass. Security is your responsibility.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.