VIBE CODING VULNERABILITIES

The 14 vibe coding vulnerabilities

These aren’t bugs in any specific AI coding tool. They’re patterns in how AI models generate code — the same patterns appear whether the developer used Lovable, Cursor, Bolt, Replit, Claude Code, v0, Devin, or Windsurf. We’ve scanned 1,400+ vibe-coded apps; the distribution is remarkably consistent.

Critical (whole-database / account-takeover risk)

1. Missing Row Level Security on Supabase / Firebase

The single most common critical finding. AI generates database tables and routes but skips the row-level security policy. The Supabase anon key (public, ships in every browser) becomes effectively a read/write key for the whole database.

Prevalence: ~70% of Supabase-backed vibe-coded apps. ~50% of Firebase-backed.

Fix: Firebase Security Rules: 12 Common Mistakes for Firestore. For Supabase, enable RLS on every table and write policies matching your auth model.

2. Hardcoded API keys in frontend bundle

Stripe secret keys, OpenAI API keys, AWS credentials, Firebase service-account JSON — placed directly in source files that get bundled and shipped to every visitor’s browser.

Prevalence: ~25% of vibe-coded apps ship at least one secret in the bundle.

Fix: Token Leak Checker finds these in seconds. Move every secret to server-only environment variables; for client-side variables, use the public-prefix convention (NEXT_PUBLIC_, VITE_).

3. BOLA / IDOR on CRUD endpoints

GET /api/invoice/:id checks the user is logged in but doesn’t check the user owns invoice :id. Anyone with a valid session can read any invoice.

Prevalence: ~85% of vibe-coded apps with CRUD APIs.

Fix: Add ownership check on every CRUD endpoint with a path parameter. Match req.user.id to resource.owner_id before returning or modifying.

High

4. Over-permissive CORS

Access-Control-Allow-Origin: * set to silence development errors and shipped to production. When combined with Allow-Credentials: true, any origin can read authenticated responses.

Prevalence: ~40% of vibe-coded APIs.

Fix: Allowlist origins via env var. Reject * for any endpoint with credentials.

5. Missing input validation

Generated handlers trust user input — no length checks, no type validation, no allowlist constraints. Opens XSS, SQL injection, command injection, server-side request forgery.

Prevalence: Near-universal in AI-generated code.

Fix: Add Zod (or framework-equivalent) validation to every endpoint. Reject malformed requests with 400.

6. SQL injection via string concatenation

Despite training data showing parameterized queries, AI still produces db.query(\SELECT * FROM users WHERE email = ‘${email}’`)` for “complex” queries.

Prevalence: ~30% of AI-generated apps with custom SQL.

Fix: Replace template-literal SQL with parameterized queries. ORMs help but don’t fully prevent — audit raw query escapes.

7. Verbose error handlers exposing internals

catch (e) { res.json(e) } ships database error messages, stack traces, and internal file paths to attackers.

Prevalence: ~60% of AI-generated APIs.

Fix: Structured error handler. Log full error server-side. Return generic message + correlation ID to client.

8. Webhooks without signature verification

Stripe, Slack, GitHub all sign webhooks. AI-generated handlers trust whatever request arrives. Attackers can replay or forge webhook events to trigger billing actions, send messages, or commit code.

Prevalence: ~50% of webhook handlers in AI-generated apps.

Fix: Verify the provider’s documented signature. Use constant-time comparison. Reject unsigned or invalid-signature requests with 401.

High-Medium

9. JWT signature skipped or wrong algorithm

jwt.decode() (unverified) used instead of jwt.verify(). Or none algorithm accepted. Or signing secret left at default. Each makes tokens trivially forgeable.

Prevalence: ~20% of AI-generated auth flows.

Fix: Always jwt.verify() with server-side secret. Reject none algorithm. Verify iss, aud, exp explicitly.

10. Missing rate limiting

Auth endpoints, password reset, expensive queries shipped without rate limits. Enables credential stuffing, brute force, and resource exhaustion.

Prevalence: ~80% of vibe-coded apps lack rate limiting on at least one auth endpoint.

Fix: 5/min/IP for auth, 100/min for general API. Use express-rate-limit or Cloudflare/upstream rate limits.

Medium

11. Self-editable role / permission fields

User update endpoints accept arbitrary fields, including role or permissions. A logged-in user can PATCH /api/users/me {"role": "admin"} and escalate.

Prevalence: ~25% of vibe-coded apps with user roles.

Fix: Allowlist updatable fields per endpoint. Role/permission changes go through a separate admin-only endpoint.

12. Open storage buckets

S3, Supabase Storage, Firebase Storage buckets created without access rules. Any object readable or writable by anonymous users.

Prevalence: ~30% of vibe-coded apps with file uploads.

Fix: Set bucket-level access controls. For Supabase, RLS policies on the storage table. For S3, block public access at bucket level.

13. Debug routes shipped to production

/admin, /_debug, /health/full, /swagger reachable without auth. Common when AI generates scaffolding during development and the developer forgets to gate.

Prevalence: ~35% of vibe-coded apps.

Fix: Audit every route. Remove or auth-gate anything not intended public. Use environment-based route registration (/swagger only in dev).

14. Hallucinated dependencies

AI suggests package names that don’t exist on npm/PyPI. Attackers register the hallucinated names with malicious code (slopsquatting). When the dev runs install, malware loads.

Prevalence: ~3-5% of AI-suggested packages don’t exist; rate is rising.

Fix: Package Hallucination Scanner verifies every dependency before install. Pin versions in lockfile.

Why AI keeps producing these patterns

Three structural reasons:

1. Training data is biased toward functionality. Every “build me a CRUD app” example online shows the auth check; few show the ownership check. Models learn what they see most.

2. AI optimizes for what was prompted. “Add a delete endpoint” produces a delete endpoint. Security is rarely in the prompt; the model doesn’t add it without being asked.

3. AI lacks attack-surface awareness. A human reviewing one file remembers the sibling files. AI sees the file in isolation, secures it locally, and the inconsistency across files becomes the vulnerability.

The model will keep producing these patterns. The reliable fix is downstream — a security gate in CI that catches what the prompt didn’t.

Prevalence by tool

The patterns are tool-agnostic but rates vary slightly:

The pattern is the same; the surface differs by stack.

How to test for all 14 in one pass

Manual: read every file. Slow.

Automated: Vibe Code Scanner tests for all 14 patterns plus 300 others against your deployed app in under 60 seconds. Each finding ships with the matching fix prompt for paste-into Cursor / Claude Code / Lovable.

How to prevent these patterns

A four-layer defense:

1. Prompt explicitly. Ask for input validation, auth checks, parameterized queries every time.
2. Required PR review for every AI-generated commit. Reviewers trained on this list.
3. CI security gate. Static scan + dynamic scan must pass before merge.
4. Dynamic scan on every deploy. AI-generated code shifts faster than human review can keep up; the deployed-app scan is the last line of defense.

Related resources

• Vibe Code Scanner — automated scan for all 14 patterns
• OWASP Top 10 for AI Code — the canonical taxonomy
• Cursor Security Risks — Cursor-specific deep dive
• Copilot Security Risks — Copilot-specific deep dive
• Is Lovable Safe? — Lovable-specific audit
• Is Replit Safe? — Replit-specific audit
• Is Cursor Safe? — Cursor IDE audit
• Firebase Security Rules — fixing the #1 critical
• Token Leak Checker — finds vulnerability #2
• Package Hallucination Scanner — finds vulnerability #14