Recent testing shows that popular AI-powered coding tools often produce insecure code. These platforms are meant to boost productivity by automating programming tasks, but they still struggle with security. Experts warn that some vulnerabilities they create could be dangerous, especially in sensitive systems like e-commerce.

Insecure Code From AI Coding Tools

A security startup called Tenzai conducted a study in December 2025, testing five well-known vibe coding platforms. They used common prompts to generate three different applications with each tool. Overall, the tools produced 69 security flaws across 15 applications. Most of these flaws were low to medium severity, but some were rated as high or critical.

Among the five tools tested—Claude Code, OpenAI Codex, Cursor, Replit, and Devin—only Claude Code, Devin, and Codex generated vulnerabilities rated as critical. The most serious issues involved API authorization checks and business logic errors, which are crucial for secure online transactions. These vulnerabilities could allow unauthorized access or permit actions that should be blocked.

Strengths and Weaknesses of AI Coding

The study found that AI coding tools are generally better at avoiding common security mistakes like SQL injection or cross-site scripting. In fact, none of the applications showed exploitable SQLi or XSS vulnerabilities. However, the tools are not perfect and tend to miss deeper security problems, especially those dependent on the application’s context.

One major challenge is that AI agents lack common sense and intuition that human developers use to identify risky workflows. For example, they often fail to spot business logic errors or authorization flaws that require understanding of how the system should behave. This means human oversight remains essential to catch and fix these issues.

While the technology can automate many coding tasks, it does not replace the need for skilled developers. Proper review and debugging are still crucial to ensure security, especially for sensitive applications. The findings reinforce that relying solely on AI-generated code can introduce new vulnerabilities if not carefully checked.

Limitations and the Road Ahead

The study also highlights a fundamental problem with defining what makes code secure or unsafe. For some issues, like server-side request forgery (SSRF), there are no universal rules to determine if a URL fetch is safe or malicious. The context matters a lot, making it impossible for AI tools to always distinguish between legitimate and harmful actions.

Experts believe that the industry should now focus on improving these AI platforms to better understand context and security risks. Developing smarter guidelines and integrating more nuanced security checks could help reduce the number of critical flaws. Until then, human developers should continue to supervise AI-generated code carefully.

In summary, vibe coding tools are promising but not perfect. They can speed up development and avoid some common security issues, but they still produce risky vulnerabilities that could be exploited. Users need to stay vigilant and review AI output thoroughly to build safe, secure applications.

Inspired by

• https://www.infoworld.com/article/4116937/output-from-vibe-coding-tools-prone-to-critical-security-flaws-study-finds-2.html

Sources

• tenzai.com
• owasp.org
• owasp.org
• csoonline.com
• csoonline.com