[BUG] (SECURITY)

Resolved 💬 3 comments Opened Jan 6, 2026 by andreyparvu-sudo Closed Jan 10, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Summary

A local 14B parameter model (Mistral Nemo) audited code written by Claude Code and found 1426 issues, including 22 security vulnerabilities with 6 HIGH severity SQL Injection instances.

## The Irony

| | |
|---|---|
| Code author | Claude Code (Opus 4.5) - premium pricing (~$15/1M output tokens) |
| Code auditor | Mistral Nemo 14B - free, open-source, running locally on a single L4 GPU |
| Result | The small local model found SQL injection vulnerabilities in code written by the "premium" model |

## Audit Statistics

| Metric | Value |
|--------|-------|
| Files scanned | 309 |
| Total issues | 1426 |
| Scan time | ~20 minutes |
| Parallel workers | 8 |

### By Severity

| Severity | Count |
|----------|-------|
| HIGH | 6 |
| MEDIUM | 512 |
| LOW | 904 |

### By Category

| Category | Count |
|----------|-------|
| Code Smell | 545 |
| Functional | 431 |
| UI | 407 |
| Security | 22 |
| Performance | 14 |

## Critical Security Issues

### 1. SQL Injection (16 locations - 6 HIGH, 10 MEDIUM)

Claude Code wrote SQL queries using string interpolation instead of parameterized queries.

Files affected (HIGH severity):

  • src/app/api/files/[fileId]/route.ts
  • src/lib/tenant-db.ts
  • src/lib/auth-service.ts

Example of vulnerable code pattern written by Claude:
``typescript
// WRONG - what Claude Code wrote
const result = await db.query(
SELECT * FROM users WHERE id = '${userId}'`);

// CORRECT - what it should have been
const result = await db.query('SELECT * FROM users WHERE id = $1', [userId]);

This is OWASP Top 10 #1 - the most basic security vulnerability, known for decades.

  1. Insecure API Calls (2 HIGH)

API calls without authentication/authorization checks in team-sidebar.tsx

  1. Exposed Secrets (2 locations)
  • Hardcoded API URLs
  • Exposed API keys in code
  1. XSS Vulnerability (1 MEDIUM)

Usage of dangerouslySetInnerHTML without sanitization in layout.tsx

  1. Insecure Storage (4 MEDIUM)

Storing tokens and sensitive data in localStorage/sessionStorage

Expected Behavior

Claude Code should:

  1. Always use parameterized queries for SQL - this is Security 101
  2. Never hardcode secrets in code
  3. Always sanitize HTML before using dangerouslySetInnerHTML
  4. Follow OWASP security guidelines
  5. Include proper error handling

Actual Behavior

Claude Code generated production code with:

  • 16 SQL injection vulnerabilities
  • 2 exposed secrets
  • 1 XSS vulnerability
  • 4 insecure storage patterns
  • 431 functional issues
  • 407 UI issues

The Real Problem

A free, open-source 14B parameter model running on a single GPU found critical security vulnerabilities in code written by Claude Code (Opus 4.5).

At ~$15/1M output tokens, users expect:

  • Security-first code generation
  • Following industry best practices
  • OWASP Top 10 awareness
  • Production-ready code quality

Instead, we got SQL injection. In 2026.

Suggestion

Consider implementing:

  1. Built-in security scanning before outputting code
  2. Automatic detection of dangerous patterns (string interpolation in SQL)
  3. Warnings when generating potentially insecure code
  4. A "secure mode" flag that enforces security best practices
  5. Actually caring about code quality, not just marketing

Environment

  • Claude Code version: Latest (Opus 4.5)
  • Project: Next.js/React enterprise application
  • Audit tool: Custom parallel scanner using Mistral Nemo 14B via vLLM

---
This is not a hypothetical scenario. This is a real enterprise application in production. The code was written by Claude Code over multiple sessions. The audit was performed on 2026-01-06.

We trusted Claude Code to write secure code. It didn't. A 14B model proved it.

What Should Happen?

-

Error Messages/Logs

Steps to Reproduce

-

Claude Model

Opus

Is this a regression?

Yes, this worked in a previous version

Last Working Version

_No response_

Claude Code Version

2.0.75

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

-

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗