Complete AI Code Vulnerability Taxonomy

AI-Generated Code Patterns

AI coding tools excel at generating functional code quickly but often miss security nuances. They may produce syntactically correct code with critical vulnerabilities, especially around authentication, input validation, and cryptography.

Injection Vulnerabilities

SQL Injection

Unparameterized queries with user input directly concatenated into SQL statements

NoSQL Injection

MongoDB or other NoSQL queries vulnerable to operator injection attacks

Command Injection

Shell commands constructed with unsanitized user input

LDAP Injection

LDAP queries built with unvalidated external data

Authentication & Authorization

Hardcoded Credentials

API keys, passwords, or tokens embedded directly in source code

Weak Password Policies

No length requirements, complexity rules, or common password checks

Missing Access Controls

Endpoints accessible without proper role or permission verification

Insecure Session Management

Predictable session IDs or tokens stored insecurely

Data Exposure

Sensitive Data in Logs

Passwords, tokens, or PII written to application logs

Excessive API Data

API responses include unnecessary sensitive fields

Client-Side Secrets

API keys or credentials exposed in frontend JavaScript

Debug Endpoints in Production

Development endpoints exposing system information left enabled

Cryptography Flaws

Weak Hashing Algorithms

Using MD5 or SHA-1 for password hashing instead of bcrypt/argon2

Insecure Random Numbers

Using Math.random() or similar for security-critical operations

Missing Encryption at Rest

Sensitive data stored unencrypted in databases

Improper TLS Configuration

Weak cipher suites or outdated TLS versions

Input Validation

Cross-Site Scripting (XSS)

User input rendered without sanitization or escaping

Path Traversal

File paths constructed with unvalidated user input

XML External Entity (XXE)

XML parsers configured to process external entities

Server-Side Request Forgery (SSRF)

Application makes requests to user-controlled URLs

Logic & Business Flaws

Race Conditions

Concurrent operations on shared resources without proper locking

Missing Rate Limiting

No throttling on authentication or resource-intensive endpoints

Insecure Deserialization

Deserializing untrusted data without validation

Business Logic Bypass

Payment, discount, or workflow steps that can be skipped

AI-Specific Vulnerability Patterns

Hallucinated Security Functions

AI generates plausible-looking but non-existent security libraries or methods

Incomplete Error Handling

Try-catch blocks with empty handlers or generic error messages that leak information

Over-Permissive CORS

CORS configured with wildcard origins allowing any domain to access APIs

Missing Input Length Limits

No maximum length constraints on user inputs, enabling DoS attacks

AI-Generated Code Risks

Risk analysis by threat category and impact

AI Code Review Guide

Framework for reviewing AI-generated code

Secure AI Coding Practices

Prompts and practices for secure code generation

GitHub Copilot Guide

Complete guide to securing Copilot-generated code

Scan for AI Code Vulnerabilities

Automatically detect these vulnerabilities in your AI-generated codebase. VibeEval identifies security flaws specific to Copilot, Cursor, and other AI coding tools.