Are insecure code completions in PyCharm a vulnerability?
4 hours ago
- #Code Security
- #IDE Vulnerabilities
- #AI Code Generation
- The author tested PyCharm's Full Line Completion plugin, which suggested insecure code examples, such as disabling warnings and certificate verification in urllib3, potentially introducing security vulnerabilities.
- Despite reporting the issue, JetBrains did not classify it as a direct security vulnerability and requested non-disclosure under a coordinated policy, but the behavior remained unchanged in later versions.
- The author argues that such code generation flaws are common across models and should be addressed by vendors to prevent users from accepting insecure suggestions, though CVE assignment may not be appropriate.