With more and more "vibe-coded" applications making their way into the wild, we're noticing some common patterns in the types of vulnerabilities that are emerging.

It's important to remember that producing a slick MVP for a demo is very different from a production ready robust & secure code-base.

Here's a top 4 of some of the major vulnerability trends we're seeing.

Client Side Permission Checks

LLM generated code often prefers client-side authorization and permission checks, in some cases often leaving backend endpoints unprotected. As a bonus SSRF filters and defenses are often implemented client side as well (and so trivially bypassable)

Hidden Flags and Functions 

Occasionally LLMs will insert hidden flags such as debug or admin, allowing an authentication bypass. When doing assessments, definitely want to make sure to use paraminer extension in Burp (or similar in your tooling of choice).

Hard-coded Secrets 

Both in commits and generated client-side code (however in some cases they are hallucinated and not the actual secret)

Classic JWT Vulnerabilities 

LLMs seem to prefer to emit their own JWT handling code rather than relying on established libraries, many of the classic JWT processing vulnerabilities are reappearing, such as failure to check the signature, the classic alg:none bypass, algorithm & public/private key confusion and claims modification.

In many ways it is a return to vulnerabilities that used to be commonplace.

After years of testing applications and reviewing code, there's definitely a particular feel or "code smell" to applications generated by LLMs. An uncanny valley of software development. Like how AI generated eyes in images or videos always look a little off.

It's no surprise that "vibe-coding cleanup specialist" is an emerging profession on LinkedIn.

And with that, if you need help securing your vibe-coded applications, please reach out to us, we'd be happy to help.

For more on our application security and web app pen testing services