When "Correct" Is Not Safe: Can We Trust Functionally Correct Patches Generated by Code Agents?

TL;DR

This paper uncovers a security vulnerability in code agents where patches are functionally correct but still contain security flaws, demonstrating that current correctness-focused evaluations overlook critical security risks.

Contribution

The paper introduces the FCV-Attack, a novel method to craft vulnerable yet functionally correct patches, exposing security flaws in state-of-the-art code agents.

Findings

FCV patches can pass tests but still contain vulnerabilities.

State-of-the-art code agents are vulnerable to FCV-Attack with high success rates.

Current evaluation methods overlook security risks in code patches.

Abstract

Code agents are increasingly trusted to autonomously fix bugs on platforms such as GitHub, yet their security evaluation focuses almost exclusively on functional correctness. In this paper, we reveal a novel type of threat to real-world code agents: Functionally Correct yet Vulnerable (FCV) patches, which pass all test cases but contain vulnerable code. With our proposed FCV-Attack, which can be deliberately crafted by malicious attackers or implicitly introduced by benign developers, we show that SOTA LLMs (e.g., ChatGPT and Claude) and agent scaffolds (e.g., SWE-agent and OpenHands) are all vulnerable to this FCV threat; across 12 agent-model combinations on SWE-Bench, the attack only requires black-box access and a single query to the code agent to perform the attack. For example, for CWE-538 (information exposure vulnerability), the FCV-Attack attains an attack success rate of $40.7\%$ on GPT-5 Mini + OpenHands. Our results reveal an important security threat overlooked by current evaluation paradigms and urge the development of security-aware defenses for code agents.