5 Security Vulnerabilities in AI-Generated Code

AI coding assistants are incredibly productive, but they're trained on public code—including vulnerable code. When you vibe-code, you might be shipping security holes alongside your features.

Here are the five most common vulnerabilities we find in AI-generated code.

1. SQL Injection (Yes, Still)

AI models often generate database queries using string concatenation instead of parameterized queries. It looks clean, but it's a critical vulnerability.

Vulnerable AI output:

const query = "SELECT * FROM users WHERE id = " + userId;

Secure version:

const query = "SELECT * FROM users WHERE id = ?";
db.query(query, [userId]);

Why AI does this: Training data contains millions of tutorials with vulnerable examples. The AI learned the pattern without understanding the security implication.

2. Hardcoded Secrets

AI assistants will happily output API keys, database credentials, and private keys directly in your code.

What we see:

const apiKey = "sk-live-abc123xyz...";
const dbPassword = "admin123";

The fix: Never accept hardcoded credentials. Use environment variables and secret management systems.

Why AI does this: The model doesn't know these are real secrets—it's completing a pattern it saw in training data. Always audit for any string that looks like a credential.

3. Insecure Authentication Patterns

AI-generated auth code often contains:

• Passwords stored in plain text
• Weak session management
• Missing rate limiting
• Improper token handling

Example – AI generated:

app.post('/login', async (req, res) => {
  const user = await User.findOne({ email: req.body.email });
  if (user.password === req.body.password) {
    res.json({ token: createToken(user) });
  }
});

Problems:

• Plain text password comparison
• No rate limiting (brute force vulnerability)
• No timing attack prevention

Why AI does this: Auth is complex. AI tends to generate simplified versions that work but skip security best practices.

4. Cross-Site Scripting (XSS) via HTML Generation

When AI generates code that renders HTML or markdown, it often skips sanitization.

Vulnerable:

div.innerHTML = aiGeneratedContent;

Secure:

div.textContent = userContent; // Safe
// Or with sanitization
div.innerHTML = DOMPurify.sanitize(userContent);

Why AI does this: The AI doesn't know where the content comes from or that it might be user-controlled. It generates the simplest rendering approach.

5. Insecure Dependency Suggestions

AI will suggest packages that are:

• Deprecated and unmaintained
• Have known CVEs
• Are not what you think they are (typosquatting)

Example:

npm install express-mysql  # Unmaintained, has known vulnerabilities
npm install mysq1         # Typosquat, malicious package

The fix: Always check:

• Package download count
• Last publish date
• Known vulnerabilities via npm audit

Why AI does this: The model suggests packages based on name matching and co-occurrence in training data. It has no concept of "secure" vs "vulnerable" dependencies.

How to Protect Your Code

1. Never trust AI output blindly – Review every line, especially auth, data access, and external integrations
2. Use automated scanning – Tools like VCX catch patterns the AI repeated from vulnerable training data
3. Test security specifically – Don't just test features; test for injection, auth bypass, and data exposure
4. Stay updated on CVEs – Subscribe to security advisories for your stack

The VCX Approach

When we audit AI-generated code, we scan for all of these patterns and more. Our rules are specifically tuned for the mistakes AI makes—not just generic security issues.

The bottom line: AI helps you write code faster. VCX helps you write code that doesn't get you hacked.

Run a security audit on your AI-generated code. Start free with VCX →