Correct Code, Vulnerable Dependencies: 36-56% of LLM-Generated Code Tasks Ship Known CVEs
arXiv·high signal
Large-scale study finds 36.7-55.7% of LLM coding tasks contain at least one known CVE in specified dependencies, with 62-75% rated Critical/High severity. In 72-91% of cases, the CVEs were disclosed before the model's knowledge cutoff. All models converge on the same small set of risky release versions — a systemic bias, not isolated errors.