🟢 READ | ⏱ 6 min | 📡 8/10 | 🎯 Security engineers, developers shipping AI-assisted code, anyone deploying vibe-coded apps

TL;DR

Tenzai's December 2025 audit of 5 major AI coding tools (Claude Code, Codex, Cursor, Replit, Devin) building 3 identical apps each found 69 vulnerabilities across 15 applications. The failures aren't random — they cluster in areas requiring contextual understanding AI doesn't have: authorization logic, business logic edge cases, and SSRF. Every single tool introduced SSRF in a URL preview feature. Zero of 15 apps implemented CSRF protection. Adding "write secure code" to prompts produced "minimal vulnerability reduction."

Signal

• Carnegie Mellon (SusVibes benchmark): 61% of AI-generated code is functionally correct, only 10.5% is secure — the correctness/security gap is structural, not fixable by better prompting
• Escape.tech scanned 5,600 live apps from vibe-coding platforms: 2,000+ vulnerabilities, 400+ exposed secrets, 175 instances of PII exposure (medical records, IBANs, phone numbers) in production
• Cursor vulnerability (CurXecute / CVE-2025-54135): editing MCP config writes to disk and executes commands even when user rejects the suggestion in the UI — the tool itself is an attack surface

What They're NOT Telling You

The Tenzai audit tests default behavior — what happens without security-specific prompting. Databricks AI Red Team found self-reflection prompts improve security 60–80% for Claude. The tools can find their own vulnerabilities when explicitly asked. But that defeats the purpose of vibe coding (prompt once, get working software). The fix (prompt for security explicitly) is a workflow requirement that most vibe coders won't adopt, which is why this problem won't self-resolve.

Trust Check

Factuality ✅ (CVE numbers, CMU/Escape.tech/Veracode all cited) | Author Authority ✅ (aggregates multiple independent studies) | Actionability ✅ (SSRF and authorization checks are minimum before deploy)