Whereas AI is turning into higher at producing that useful code, additionally it is enabling attackers to establish and exploit vulnerabilities in that code extra rapidly and successfully. That is making it simpler for less-skilled programmers to assault the code, rising the pace and class of these assaults — making a scenario during which code vulnerabilities are rising at the same time as the power to use them is turning into simpler, in accordance with new analysis from software danger administration software program supplier Veracode.
AI-generated code launched safety vulnerabilities in 45% of 80 curated coding duties throughout greater than 100 LLMs, in accordance with the 2025 GenAI Code Safety Report. The analysis additionally discovered that GenAI fashions selected an insecure methodology to write down code over a safe methodology 45% of the time. So, though AI can create code that’s useful and syntaactically appropriate, the report reveals that safety efficiency has not stored tempo.
“The rise of vibe coding, the place builders depend on AI to generate code, usually with out explicitly defining safety necessities, represents a elementary shift in how software program is constructed,” Jens Wessling, chief know-how officer at Veracode, mentioned in an announcement saying the report. “The primary concern with this pattern is that they don’t must specify safety constraints to get the code they need, successfully leaving safe coding selections to LLMs. Our analysis reveals GenAI fashions make the mistaken decisions practically half the time, and it’s not enhancing.”
In saying the report, Veracode wrote: “To judge the safety properties of LLM-generated code, Veracode designed a set of 80 code completion duties with recognized potential for safety vulnerabilities in accordance with the MITRE Frequent Weak spot Enumeration (CWE) system, a regular classification of software program weaknesses that may flip into vulnerabilities. The duties prompted greater than 100 LLMs to auto-complete a block of code in a safe or insecure method, which the analysis staff then analyzed utilizing Veracode Static Evaluation. In 45 % of all check instances, LLMs launched vulnerabilities categorised throughout the OWASP (Open Internet Software Safety Undertaking) Prime 10—essentially the most important net software safety dangers.”
Different findings within the report had been that Java was discovered to be the riskiest of programming languages for AI code technology, with a safety failure fee of greater than 70%. Failure charges of between 38% and 45% had been present in apps creating in Python, C# and JavaScript. The analysis additionally revealed LLMs did not safe code towards cross-site scripting and log injection in 86% and 88%, respectively, in accordance with Veracode.
Wessling famous that the analysis confirmed that bigger fashions carry out no higher than smaller fashions, which he mentioned signifies that the vulnerability difficulty is a systemic one, reasonably than an LLM scaling downside.
“AI coding assistants and agentic workflows symbolize the way forward for software program growth, and they’ll proceed to evolve at a speedy tempo,” Wessling concluded. “The problem dealing with each group is making certain safety evolves alongside these new capabilities. Safety can’t be an afterthought if we wish to forestall the buildup of huge safety debt.”