What is Vibe Coding?

3 min read Updated 2026-02-05

A development approach where programmers rely heavily on AI assistants to generate code without fully understanding what the code does. While fast, this often introduces security vulnerabilities.

Related: SQL Injection XSS Authentication Input Validation Security Audit

Understanding Vibe Coding

Vibe coding emerged with the rise of AI coding assistants like GitHub Copilot and ChatGPT. Developers describe their intent and accept generated code based on whether it "feels right" or works on first try. The problem: AI models are trained on vast codebases that include vulnerable code patterns. Without security expertise, developers can't identify when AI suggests insecure implementations like SQL concatenation, missing input validation, or hardcoded secrets.

Examples

  • Accepting AI-generated database queries without checking for SQL injection
  • Using AI-suggested authentication code with weak session management
  • Copy-pasting AI code that includes hardcoded API keys or secrets
  • Implementing file uploads without validating file types or sizes
  • Using AI-generated crypto code with insecure algorithms or implementations

How to Prevent

  • Always review and understand AI-generated code before using it
  • Run security linters and SAST tools on all code, including AI-generated
  • Never trust AI with authentication, authorization, or cryptography without expert review
  • Treat AI suggestions as a starting point, not a final solution
  • Learn security fundamentals - you can't review what you don't understand
  • Get a security audit before shipping AI-assisted code to production
  • Use AI to explain security concepts, not just generate code

Code Examples

AI Often Suggests Vulnerable Patterns

AI assistants optimize for "working code" not "secure code". The vulnerable version works perfectly in testing but is exploitable in production.

Vulnerable 
// Common AI-generated code (VULNERABLE)
// "Write a function to get user by ID"

app.get('/user/:id', (req, res) => {
  const query = `SELECT * FROM users WHERE id = ${req.params.id}`;
  db.query(query, (err, result) => {
    res.json(result);
  });
});

// AI generated this quickly, it "works",
// but it's vulnerable to SQL injection
Secure 
// What a security-aware developer would write
app.get('/user/:id', (req, res) => {
  // Validate input
  const id = parseInt(req.params.id, 10);
  if (isNaN(id)) {
    return res.status(400).json({ error: 'Invalid ID' });
  }

  // Parameterized query
  const query = 'SELECT * FROM users WHERE id = ?';
  db.query(query, [id], (err, result) => {
    if (!result.length) {
      return res.status(404).json({ error: 'Not found' });
    }
    res.json(result[0]);
  });
});

AI-Generated Auth Code Risks

Vulnerable 
// AI-generated JWT implementation (VULNERABLE)
const jwt = require('jsonwebtoken');

app.post('/login', (req, res) => {
  const { username, password } = req.body;

  // AI often forgets password hashing
  const user = users.find(u =>
    u.username === username && u.password === password
  );

  if (user) {
    // Weak secret, no expiration
    const token = jwt.sign({ id: user.id }, 'secret');
    res.json({ token });
  }
});
Secure 
// Security-hardened version
const jwt = require('jsonwebtoken');
const bcrypt = require('bcrypt');

app.post('/login', async (req, res) => {
  const { username, password } = req.body;

  const user = await User.findOne({ username });
  if (!user) {
    return res.status(401).json({ error: 'Invalid credentials' });
  }

  // Proper password verification
  const valid = await bcrypt.compare(password, user.passwordHash);
  if (!valid) {
    return res.status(401).json({ error: 'Invalid credentials' });
  }

  // Strong secret from env, with expiration
  const token = jwt.sign(
    { id: user.id },
    process.env.JWT_SECRET,
    { expiresIn: '1h' }
  );

  res.json({ token });
});

Real-World Incidents

GitHub Copilot Security Study

2022

Stanford researchers found that developers using AI assistants produced significantly less secure code, with 40% of generated code containing vulnerabilities.

Impact: Raised awareness about AI-assisted coding risks in the security community

ChatGPT Code Vulnerabilities

2023

Multiple studies found ChatGPT frequently suggests code with OWASP Top 10 vulnerabilities including SQL injection, XSS, and insecure deserialization.

Impact: Prompted discussions about AI safety in software development

Worried about Vibe Coding in your app?

Our security audits identify vulnerabilities like this before attackers do. Get expert manual review of your codebase.

Get a Security Audit Back to Glossary