Vibe code is defined as the practice of using natural language to train large language models to generate code. A growing number of emerging ventures and platforms focusing on packaging the process have emerged in the past few years. However, the best things about vibe coding are well recognized, like reducing the barrier to entry on app development and expanding dev budgets. Furthermore, there remain the risks and concerns that should not be overlooked. Even though we do not consider that giant firms can use the process to lay off full-time employees, there are also security risks to be considered, such as AI hallucinations, users refusing to audit code due to a lack of trust in the platform, and a lack of insight into the gaps in security systems.
What are the Cyber Gaps in LLM-Assisted Coding?
The 2025 GenAI Code Security Report, prepared by the researchers testing 100 LLMs against 80 designed coding tasks, reported that AI models made 45% insecure implementations. Unfortunately, the researchers found no notable security improvements with time. Java performed the worst out of the four programming languages tested. It saw a 71% failure rate in coding safely. Models lagged when preventing cross-site scripting problems up to 86% of the time.
AI Coding Prepared for Security Primetime
LLM coding products are available and are likely to remain available for a long time. The most important question is whether vibe coding tools are yet market-ready. Like many other early adopters of generative AI tools, the products seem beneficial but should be implemented accurately. It has been reported that vibe coding products are outstanding for prototyping and low-risk internal tools. However, they should not be considered as a drop-in replacement for safe production development. You should still run static code scanning and dependency checks, and test the generated code for risks. However, we may want a human code reviewer in the real world to review the change before it’s implemented in a codebase. Nicole Carignan, VC of security and AI strategy at Darktrace, revealed that two major cases are initial brainstorming for apps and structure, along with coding assistance for new developers.
This enables people to explain a rough idea of what is expected from the program, and then AI helps generate a code framework to start with. The major concern is that the code will not be secure by design.
It has been found that vibe coding products are 100% insecure, and they need security scanning and oversight. The tools in place can carry out simple jobs, but the technology is still in its infancy for businesses. This is mainly due to the fact that AI is acting in an inconsistent way, and the result is of low quality. It may do more things quickly, but it is not yet reliable. The technology is progressing swiftly, and it could be market-ready soon.
Common Security Risks
Whether you are using ChatGPT or just vibe coding with a dedicated tool, you are prone to some of the vulnerabilities and cyberattacks.
Cross-site Scripting
A cross-site scripting attack causes risks in web applications where user-provided input is not accurately validated or cleaned before being displayed or processing. Cyber criminals can easily inject harmful code through the user input, and when the corrupt script is executed, it can extract sensitive data or carry out unauthorized actions representing the victim. XSS attacks could be less harmful, but they put the users at risk of data exposure or unauthorized control of their accounts.
SQL Injection Attacks
Similar to XSS, an SQL injection attack injects harmful code into the apps through a vulnerable user input field. As SQL is the language used by several apps to query their underlying database, such an attack enables criminals to access or manipulate the database. A SQL injection attack emerged from the Equifax data breach of 2017. Equifax was not targeted, but the company lagged behind in applying a security patch.
Path Traversal Attacks
Cyber criminals can manipulate file path inputs to fool your app into returning non-public files or directories. They bypass access controls and enable them to read and write to files holding confidential data. Such a type of attack also occurs due to insecure user input. Researchers found a path traversal vulnerability in Atlassian’s Confluence app in 20101 that would have enabled criminals to extract any file on the server that is running Confluence, based on the permissions.
Secrets Leakage
Secrets like passwords, encryption keys, API tokens, and digital certificates offer the malicious actors the path to your home. These sensitive pieces of information can enable hackers to mimic you, access your data, and modify the code. Around 23 million secrets were seen in public source code repositories in 2024. Secrets can be leaked by accidentally hardcoding them into the app or through a vulnerability like TJ-Actions. Attackers modified the tj-actions Github Action code, resulting in a compromised action to print CI/CD secrets.
Vibe Code
If you are acquainted with the risks related to vibe coding and still wish to delve into it, the most important thing to remember is to ensure security hygiene. On the other hand, it was opined that firms should integrate AI-generated code into pre-existing security pipelines. The organizations should have code reviewed by humans whenever possible, and allow secret scanning and push protections in GitHub.
The senior product manager, Kaushik Devireddy, explained that organizations must use the tools to produce or create awareness and train content for the development teams to help them with safe programming instead of replacing them. Finally, the tools will continue their existence and innovative firms should identify paths to implement them instead of outright black them safely. It was recommended that vulnerability scanning and threat modelling usage can help ensure that the models are not hallucinating.
Lastly, it is important to prevent AI from performing operations freely on the production database.
Also Read:
Best AI Coding Assistants for Boosting Engineering Productivity!
