Anthropic’s AI finds one low-severity vulnerability in heavily audited curl codebase

Anthropic's Claude Mythos AI model was announced with significant fanfare for its purported ability to identify code vulnerabilities. Initially generating alarm across the tech industry, the model's effectiveness was put to the test on the widely used curl data transfer library, Security Affairs reports.

Daniel Stenberg, the creator of curl, reviewed a Mythos analysis of 176,000 lines of C code, which claimed to have found five "confirmed" vulnerabilities. However, upon closer inspection by Stenberg and his security team, only one low-severity issue was confirmed as a genuine vulnerability. The other four findings were either false positives, already documented in the API, or classified as simple bugs rather than security flaws. This outcome contrasts with previous AI tools that have identified hundreds of issues and CVEs in curl's codebase, which is already extensively fuzzed and audited.

Stenberg concluded that the hype surrounding Mythos appeared to be primarily marketing, with no demonstrated advantage over existing security tools. While not dismissing AI tooling in general, he argued that Mythos did not show superiority on this specific, heavily scrutinized project.

Source: Security Affairs