Larson: Are insecure code completions a vulnerability?

Date:
Wed, 10 Jun 2026 16:43:14 +0000

Description:
Seth Larson, the Python Software Foundation's security
developer-in-residence , has written
about the difficulty in classifying insecure code completion in
the PyCharm IDE using
its Full
Line code completion plugin. Larson discovered that the plugin,
which uses a local "deep learning module" to offer code completions,
suggests code that would lead to severe vulnerabilities. He was unsure
whether it warranted a CVE or not, however: I reported this behavior to JetBrains for "Full Line Code Completion" v253.29346.142
and clearly their support staff weren't certain whether this defect
was a security vulnerability or not either. When I asked to
publish a blog post about this behavior after they confirmed
this report wasn't a "direct security vulnerability" (which
I agree with) but then was asked not to publicize my report and referred to PyCharm's Coordinated Disclosure Policy so... which is it? Security vulnerability or not? I ended up waiting the 90 days anyway and I didn't hear back with
any substantive update from the development team. I double-checked
again today using "Full Line Code Completion" v261.24374.152 and the
behavior is identical, suggesting the same insecure code for both
contexts. This isn't meant to be a specific dig at PyCharm or JetBrains, I
have no-doubt that examples like this exist in every code generation
model available.

======================================================================
Link to news story:
https://lwn.net/Articles/1077413/


--- Mystic BBS v1.12 A49 (Linux/64)
* Origin: tqwNet UK HUB @ hub.uk.erb.pw (1337:1/100)