How Safe Are AI-Generated Patches? A Large-scale Study on Security Risks in LLM and Agentic Automated Program Repair on SWE-bench

TL;DR

This large-scale study assesses the security risks of AI-generated patches in automated program repair, revealing that LLMs and agentic frameworks can introduce vulnerabilities influenced by code and issue context.

Contribution

First comprehensive security analysis of LLM-generated patches on real-world GitHub issues, highlighting vulnerabilities and contextual factors affecting security in automated program repair.

Findings

Llama 3.3 introduces many new vulnerabilities.

Agentic frameworks generate vulnerabilities with increased autonomy.

Vulnerabilities are linked to specific code and issue characteristics.

Abstract

Large language models (LLMs) and their agentic frameworks are increasingly adopted to perform development tasks such as automated program repair (APR). While prior work has identified security risks in LLM-generated code, most have focused on synthetic, simplified, or isolated tasks that lack the complexity of real-world program repair. In this study, we present the first large-scale security analysis of LLM-generated patches using 20,000+ GitHub issues. We evaluate patches proposed by developers, a standalone LLM (Llama 3.3 Instruct-70B), and three top-performing agentic frameworks (OpenHands, AutoCodeRover, HoneyComb). Finally, we analyze a wide range of code, issue, and project-level factors to understand the conditions under which generating insecure patches is more likely. Our findings reveal that Llama introduces many new vulnerabilities, exhibiting unique patterns not found in developers' code. Agentic workflows also generate a number of vulnerabilities, particularly when given more autonomy. We find that vulnerabilities in LLM-generated patches are associated with distinctive code characteristics and are commonly observed in issues missing specific types of information. These results suggest that contextual factors play a critical role in the security of the generated patches and point toward the need for proactive risk assessment methods that account for both issue and code-level information.