Recent academic studies show that over 40% of AI-generated code solutions contain security flaws, even with the latest generation of large language models (LLMs). These vulnerabilities aren’t new, but their patterns are: they surface in unexpected ways, occur more frequently, and often slip past existing safeguards. Many are depressingly ordinary, which isn’t surprising given how these models have been “taught” to code.

LLMs are trained on open source code

For the large language models (LLMs) behind tools like GitHub Copilot, Cursor, or Replit’s Ghostwriter, the raw materials often come from public GitHub repositories, documentation, Stack Overflow, and other open code sources. The training data includes:

• Good code: popular libraries, clean examples, best practices
• Bad code: outdated APIs, inefficient algorithms, poorly documented
• Ugly code: insecure snippets, libraries with CVEs

This undiscerning appetite for code results in LLMs inheriting not just the brilliance of open source but also its flaws. If insecure patterns are prevalent in the training data, the model is more likely to replicate them.

Many security risks are familiar

Academic reviews show that LLMs introduce security vulnerabilities at similar rates—likely a reflection of their shared training data. Recent studies show that these flaws often align with the CWE Top 25, with certain weaknesses appearing far more frequently than others:

Missing input validation and injection flaws

At the top of the list are classic input-related vulnerabilities. By default, AI-generated code frequently omits input validation unless explicitly prompted to include it, often resulting in insecure outputs by default. This leads to recurring instances of:

• Missing input validation (CWE-20)
• SQL injection (CWE-89)
• OS command injection (CWE-78)

Recent academic studies confirm that missing input sanitization is the most common security flaw in LLM-generated code across languages and models. Even when instructed to “write secure code,” models may apply inconsistent or overly simplistic checks, especially when lacking architectural context.

Authentication and authorization failures

Prompts that omit security guidance can result in applications with no authentication, hard-coded secrets, or unrestricted access to backend systems. For example, a typical prompt like “hook up to a database and display user scores” often results in code that bypasses authentication and authorization entirely—yielding:

• Broken authentication (CWE-306)
• Broken access control (CWE-284)
• Hard-coded credentials (CWE-798)

This pattern has been observed in both laboratory environments and real-world testing with tools such as GitHub Copilot and Cursor. These vulnerabilities are especially dangerous as AI agents are increasingly used to scaffold full-stack services, where human review may be minimal or nonexistent.

AI-generated code also introduces novel security risks

AI does introduce novel security risks, and this primarily comes from how LLMs and agents operate and shortcomings of these systems. AI systems can generate a lot of code quickly—but they don’t do it the same way as humans.

Dependency explosion and stale libraries

Another common risk arises from dependency overuse. Even simple prompts can generate complex applications with expansive dependency trees. In one internal test, a prompt for a “To-do list app” yielded between two and five backend dependencies, depending on the model used. Each new dependency expands the attack surface and multiplies the risk of including a vulnerable package.

This temporal gap means models may suggest libraries with known CVEs patched after the model’s training cutoff, effectively re-introducing resolved vulnerabilities into new codef\. For example, GitHub reported a sharp rise in CVEs linked to open-source dependencies in 2023, citing the role of automated tooling (including AI) in spreading outdated or vulnerable code across the ecosystem.

Hallucinated dependencies

Hallucinated dependencies occur when an AI model suggests importing or installing a package that doesn’t actually exist. This creates a dangerous opportunity for attackers, who can register the unused package name in public repositories and fill it with malicious code (so called “slopsquatting”). If a developer trusts the AI’s suggestion and installs it, they could unknowingly grant an attacker full access to their system or development pipeline.

Architectural drift and risky security changes

One of the hardest risks to detect is what might be called architectural drift—subtle model-generated design changes that break security invariants without violating syntax. These changes often evade static analysis tools and human reviewers, especially when the code “looks correct” but behaves insecurely. Examples might range from swapping out cryptography libraries, to removing access control protections.

Final Thoughts

The net result is the emergence of “AI-native” vulnerabilities—bugs that appear to be standard code but violate critical security assumptions or logic flows. These include:

• Architecturally invisible flaws
• Dependency-related vulnerabilities from outdated suggestions
• Dependency hallucinations 
• Injection risks due to weak input handling
• Authentication gaps stemming from underspecified prompts

AppSec must adapt to this new paradigm. Secure-by-default prompts, dynamic vulnerability intelligence, and AI-specific code review tools are no longer optional. They are now essential components of a modern software security practice.

Contact our security experts if you’d like to discuss how you can help your organization securely roll out and adopt AI coding assistants.

Additional Resources

• Understanding Security Risks in AI-Generated Code
• Can LLMs Generate Correct and Secure Backends?
• Guiding AI to Fix Its Own Flaws: An Empirical Study on LLM-Driven Secure Code Generation
• Prompting Techniques for Secure Code Generation: A Systematic Investigation
• Evaluating Security Risks of LLM-Generated Code in a Cross-Language and Cross-Model Setting
• Securing the Open Source Supply Chain: The Essential Role of CVEs