AI is starting to produce real results in code vulnerability analysis
Contents
In the same week, two security research results showed what AI-based code analysis can now do in practice. Anthropic used Claude to analyze Mozilla Firefox’s JS engine and found 22 CVEs, while GitHub Security Lab reported more than 80 vulnerabilities in web apps built on the OSS AI framework Taskflow Agent. The targets and methods differ, but both point in the same direction: AI is starting to read code and surface bugs before human researchers get there.
Claude × Firefox SpiderMonkey: 22 CVEs
Anthropic’s Frontier Red Team ran Claude Opus 4.6 as an agent to analyze Firefox’s JavaScript engine (SpiderMonkey) for two weeks. Standard utilities and vulnerability analysis tools are placed in a sandboxed VM, with no special prompt design or custom harnesses. Just the model and code. Approximately 6,000 C++ files were scanned and a total of 112 bug reports were filed.
| Type | Count |
|---|---|
| Number of CVEs issued | 22 |
| High-severity | 14 |
| Moderate-severity | 7 |
| Other bugs (no CVE) | Approximately 90 |
| Total number of reports | 112 |
The 14 high-severity vulnerabilities represent about one-fifth of all high-severity vulnerabilities fixed in Firefox in 2025. All fixes have shipped with Firefox 148 (some will be fixed in the next release).
Analysis method and discovered vulnerabilities
Claude’s analysis is hypothesis-driven rather than pure pattern matching. When it sees a commit that adds a stack bounds check in one file, for example, it infers that another file calling the same function may still lack the same guard and investigates there. The first use-after-free issue was reportedly found just 20 minutes after the run began.
The types of vulnerabilities discovered are as follows:
- Use After Free (pointer reference after memory is freed)
- JIT miscompilation (JIT compiler optimization mistake)
- A new class of logical errors not found by fuzzing
Of particular note is CVE-2026-2796 (CVSS 9.8). This problem is classified as JIT miscompilation because type checking is bypassed in import/export between WebAssembly modules, and wasm functions with mismatched types are placed in the import record due to optimization.
Fuzzing (a method of executing a large number of random inputs and looking for abnormal terminations) is suitable for finding crashes and assertion failures, but logic errors do not manifest as crashes because execution continues. The strengths and weaknesses of AI static analysis and fuzzing can be summarized as follows.
| Methods | Favorite vulnerabilities | Weak vulnerabilities |
|---|---|---|
| Fuzzing | Crash/assertion failure | Logic error/information leak |
| AI Static Analysis | Logic Errors/Code Patterns | Runtime-Dependent Timing Issues |
| Human code review | Design flaws/complex context | Entire large codebase |
Rather than AI replacing fuzzing,'' it is a complementary relationship in which AI compensates for the layers overlooked by fuzzing.”
Attempt to create an exploit
Anthropic is also testing whether the vulnerabilities it discovers can be converted into exploits (code that can actually be used to carry out attacks). After spending about $4,000 in API credits and running hundreds of tests, only two were able to be converted into exploits. CVE-2026-2796 is one of these, but it only worked in a test environment where sandboxing was intentionally disabled. A full-chain exploit that combines multiple vulnerabilities to escape the browser sandbox has not been achieved.
graph LR
A[6,000個のC++ファイル] --> B[112件のバグレポート]
B --> C[22件のCVE]
C --> D[エクスプロイト試行<br/>数百回・$4,000]
D --> E[成功 2件<br/>サンドボックス無効環境のみ]
D --> F[full-chain exploit<br/>未達成]Anthropic says, “Claude is good at finding bugs, but he’s still bad at turning them into exploits.” Bug finding and exploit writing are different skills, and the current threat from AI is less about automating the exploitation of known vulnerabilities and more about helping defenders find bugs first.
Report quality and Mozilla support
The report generated by Claude was submitted in a format that included not only a suggestion that a bug might exist, but also a minimal number of reproducible test cases. This is what allowed Mozilla’s security team to quickly verify and fix the issue. Determining the priority of bugs and preparing a reproduction environment are processes that take up a lot of security engineers’ time, and Claude saves time.
In response to this work, Mozilla is beginning to integrate AI-assisted analysis into its internal security workflows. Previously, the main focus was a combination of bug bounty reports from external researchers'' and internal fuzzing,” but by continuously running code base static analysis using an AI agent, we are trying to build a system to find vulnerabilities before attackers do.
GitHub Taskflow Agent: AI auditing framework for web apps
GitHub Security Lab has released an OSS AI-powered vulnerability scanning framework called “Taskflow Agent.” Unlike Claude’s one-off analysis, this one is designed as a general-purpose tool that anyone can run on their own repositories. At the time of publication, more than 80 vulnerabilities have been discovered, of which approximately 20 have been disclosed.
How Taskflow works
The core of the Taskflow Agent is a chain of sequential tasks defined in a YAML file called a “taskflow.” Instead of throwing a monolithic prompt once, break down the analysis into smaller steps and run each one. Each task starts in a new context and uses the memcache toolbox (key-value store) to pass data between tasks. As it progresses while accumulating intermediate results in the SQLite database (repo_context.db), subsequent tasks can use the knowledge of previous tasks. It is designed to avoid the constraints of LLM’s context window by using divide and conquer.
graph TD
A[リポジトリを機能コンポーネントに分解] --> B[各コンポーネントのコンテキスト収集<br/>エントリポイント・権限レベル・機能目的]
B --> C[コンポーネントごとに脆弱性候補を提案]
C --> D[候補を詳細に監査]
D --> E[context DB に蓄積]
E --> F[レポート生成]During the “context gathering” phase, let the team understand where the authentication boundaries are in the code before starting the audit. This preprocessing makes it easier to answer the specific question, “Can this endpoint be accessed without authentication?”
Vulnerability categories that can be detected
Current taskflows are particularly good at the following categories:
Auth Bypass A design error or implementation bug that allows authentication checks to be bypassed. A case has actually been discovered of a chat platform where users can log in even if they submit a password of any value.
IDOR (Insecure Direct Object Reference, Inadequate Access Control) An issue where it is possible to access another user’s resources by directly specifying their ID. IDOR is easy to overlook in manual code reviews, so AI is suitable for following the flow and verifying the presence or absence of bounds checks.
Token Leak / Authentication information leak A case where authentication tokens and secret information are included in logs, error responses, and API responses.
Information Disclosure An issue where private user data could be obtained without checking permissions.
CVEs actually found
Here are some published examples.
| Project | Vulnerability | CVE |
|---|---|---|
| WooCommerce (PHP) | Logged-in users can view all guest orders. Leakage of personal information such as name, address, phone number, etc. | CVE-2025-15033 |
| Spree (Ruby, EC framework) | Unauthenticated users can enumerate addresses and phone numbers of guest orders by simply incrementing parameters | CVE-2026-25758 |
| Spree (same as above) | Similar IDOR vulnerability | CVE-2026-25757 |
It was particularly effective in discovering systemic problems in e-commerce sites’ cart logic and order processing. The CodeQL Alert triage task flow has discovered approximately 30 actual vulnerabilities.
How to use
The repository is published at GitHubSecurityLab/seclab-taskflows and is ready to run on GitHub Codespaces.
./scripts/audit/run_audit.sh myorg/myrepoEstimated execution time is 1 to 2 hours for a medium-sized repository. A GitHub Copilot license is required to run it, and requests using the premium model incur additional costs. Custom taskflows can also be defined in YAML, making it possible to support audits specific to specific vulnerability classes.
Differences from existing SAST/DAST
Traditional static analysis tools (SAST) operate on rule-based pattern matching, so they are vulnerable to problems outside of known patterns. Taskflow Agent asks questions after the AI understands the semantics of the code, so it can detect problems at the “Is this code correct as business logic?” layer. By working with CodeQL MCP Server and providing templated CodeQL queries as an MCP tool, we are taking the approach of putting LLM inference on top of the existing CodeQL infrastructure.
GitHub Security Lab particularly emphasizes the low number of false positives. AI-based tools have been criticized for “tending to call anything a vulnerability,” but by building up context first through task flow design, they narrow down the problem to problems that can actually be exploited. The main causes of false positives are cases such as access controls that can only be triggered by the repository maintainer and workflows that have already been disabled, which are difficult to identify based on code patterns alone, but can be identified by understanding the meaning of the code.
Comparison of the two approaches
| Item | Claude × Firefox | Taskflow Agent |
|---|---|---|
| Model | Claude Opus 4.6 | GitHub Copilot (Premium Model) |
| Target | C++/Rust (low layer) | Python/JS/Ruby (web app) |
| Publication format | Research project | OSS framework |
| Number of cases discovered | 22 CVE + approximately 90 cases | More than 80 cases (of which approximately 20 have been disclosed) |
| Specialized vulnerabilities | Logic errors/memory safety | Auth Bypass/IDOR/Token Leak |
| Analysis method | Hypothesis generation type (see Git history) | Task flow divide and conquer |