Whereas AI is changing into higher at producing that practical code, additionally it is enabling attackers to establish and exploit vulnerabilities in that code extra rapidly and successfully. That is making it simpler for less-skilled programmers to assault the code, rising the pace and class of these assaults — making a state of affairs during which code vulnerabilities are rising whilst the power to take advantage of them is changing into simpler, based on new analysis from utility danger administration software program supplier Veracode.
AI-generated code launched safety vulnerabilities in 45% of 80 curated coding duties throughout greater than 100 LLMs, based on the 2025 GenAI Code Safety Report. The analysis additionally discovered that GenAI fashions selected an insecure methodology to write down code over a safe methodology 45% of the time. So, although AI can create code that’s practical and syntaactically right, the report reveals that safety efficiency has not stored tempo.
“The rise of vibe coding, the place builders depend on AI to generate code, usually with out explicitly defining safety necessities, represents a elementary shift in how software program is constructed,” Jens Wessling, chief know-how officer at Veracode, mentioned in a press release saying the report. “The principle concern with this pattern is that they don’t have to specify safety constraints to get the code they need, successfully leaving safe coding choices to LLMs. Our analysis reveals GenAI fashions make the mistaken decisions practically half the time, and it’s not enhancing.”
In saying the report, Veracode wrote: “To judge the safety properties of LLM-generated code, Veracode designed a set of 80 code completion duties with recognized potential for safety vulnerabilities based on the MITRE Widespread Weak spot Enumeration (CWE) system, a regular classification of software program weaknesses that may flip into vulnerabilities. The duties prompted greater than 100 LLMs to auto-complete a block of code in a safe or insecure method, which the analysis crew then analyzed utilizing Veracode Static Evaluation. In 45 % of all check circumstances, LLMs launched vulnerabilities categorized throughout the OWASP (Open Internet Software Safety Venture) High 10—probably the most essential net utility safety dangers.”
Different findings within the report had been that Java was discovered to be the riskiest of programming languages for AI code technology, with a safety failure fee of greater than 70%. Failure charges of between 38% and 45% had been present in apps creating in Python, C# and JavaScript. The analysis additionally revealed LLMs didn’t safe code towards cross-site scripting and log injection in 86% and 88%, respectively, based on Veracode.
Wessling famous that the analysis confirmed that bigger fashions carry out no higher than smaller fashions, which he mentioned signifies that the vulnerability challenge is a systemic one, reasonably than an LLM scaling downside.
“AI coding assistants and agentic workflows characterize the way forward for software program growth, and they’ll proceed to evolve at a speedy tempo,” Wessling concluded. “The problem going through each group is making certain safety evolves alongside these new capabilities. Safety can’t be an afterthought if we need to stop the buildup of huge safety debt.”
