Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Extracting Recurring Vulnerabilities from Black-Box LLM-Generated Software

Tomer Kordonsky, Maayan Yamin, Noam Benzimra, Amit LeVi, Avi Mendelson

TL;DR

This work reveals that large language models used for code generation exhibit recurring, model-specific vulnerability templates that can be predicted from observable frontend features in a black-box setting. It introduces FSTab, a PMI-based, diversity-penalized lookup that maps frontend signals to likely backend vulnerabilities for a given model, enabling efficient vulnerability prioritization without backend access. Coupled with a formal evaluation framework (FVR, RVP, DVR, CDT), the paper demonstrates strong cross-domain recurrence and transferable vulnerability patterns across six code LLMs and five domains, including notable Universality Gap in cross-domain transfer. These findings expose a practical attack surface in LLM-generated software and motivate defenses such as security-aware decoding, feature-conditioned testing, and model-centric risk evaluation. The work provides a resource for proactive auditing and safer deployment of code-generating models, complemented by reproducible methodologies and a public codebase.

Abstract

LLMs are increasingly used for code generation, but their outputs often follow recurring templates that can induce predictable vulnerabilities. We study \emph{vulnerability persistence} in LLM-generated software and introduce \emph{Feature--Security Table (FSTab)} with two components. First, FSTab enables a black-box attack that predicts likely backend vulnerabilities from observable frontend features and knowledge of the source LLM, without access to backend code or source code. Second, FSTab provides a model-centric evaluation that quantifies how consistently a given model reproduces the same vulnerabilities across programs, semantics-preserving rephrasings, and application domains. We evaluate FSTab on state-of-the-art code LLMs, including GPT-5.2, Claude-4.5 Opus, and Gemini-3 Pro, across diverse application domains. Our results show strong cross-domain transfer: even when the target domain is excluded from training, FSTab achieves up to 94\% attack success and 93\% vulnerability coverage on Internal Tools (Claude-4.5 Opus). These findings expose an underexplored attack surface in LLM-generated software and highlight the security risks of code generation. Our code is available at: https://anonymous.4open.science/r/FSTab-024E.

Extracting Recurring Vulnerabilities from Black-Box LLM-Generated Software

TL;DR

This work reveals that large language models used for code generation exhibit recurring, model-specific vulnerability templates that can be predicted from observable frontend features in a black-box setting. It introduces FSTab, a PMI-based, diversity-penalized lookup that maps frontend signals to likely backend vulnerabilities for a given model, enabling efficient vulnerability prioritization without backend access. Coupled with a formal evaluation framework (FVR, RVP, DVR, CDT), the paper demonstrates strong cross-domain recurrence and transferable vulnerability patterns across six code LLMs and five domains, including notable Universality Gap in cross-domain transfer. These findings expose a practical attack surface in LLM-generated software and motivate defenses such as security-aware decoding, feature-conditioned testing, and model-centric risk evaluation. The work provides a resource for proactive auditing and safer deployment of code-generating models, complemented by reproducible methodologies and a public codebase.

Abstract

LLMs are increasingly used for code generation, but their outputs often follow recurring templates that can induce predictable vulnerabilities. We study \emph{vulnerability persistence} in LLM-generated software and introduce \emph{Feature--Security Table (FSTab)} with two components. First, FSTab enables a black-box attack that predicts likely backend vulnerabilities from observable frontend features and knowledge of the source LLM, without access to backend code or source code. Second, FSTab provides a model-centric evaluation that quantifies how consistently a given model reproduces the same vulnerabilities across programs, semantics-preserving rephrasings, and application domains. We evaluate FSTab on state-of-the-art code LLMs, including GPT-5.2, Claude-4.5 Opus, and Gemini-3 Pro, across diverse application domains. Our results show strong cross-domain transfer: even when the target domain is excluded from training, FSTab achieves up to 94\% attack success and 93\% vulnerability coverage on Internal Tools (Claude-4.5 Opus). These findings expose an underexplored attack surface in LLM-generated software and highlight the security risks of code generation. Our code is available at: https://anonymous.4open.science/r/FSTab-024E.
Paper Structure (111 sections, 33 equations, 3 figures, 28 tables, 2 algorithms)

This paper contains 111 sections, 33 equations, 3 figures, 28 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. Code LLM Evolution and Security Benchmarks.
  4. Vulnerability Persistence and Fingerprinting.
  5. Black-Box Attack on LLM-Generated Programs - FSTab
  6. Attack Objective.
  7. FSTab Structure and Training
  8. Experimental Attack Settings
  9. Feature Definition and Extraction.
  10. Vulnerability Scanner.
  11. Attack Flow and Query Formulation.
  12. Attack Evaluation Metrics.
  13. Vulnerabilities Recurrence Evaluation Framework for Code Generative Models
  14. Objective and Notation
  15. Vulnerability Definition.
  16. ...and 96 more sections

Figures (3)

  • Figure 1: Architectural Vulnerability Fingerprints. Visual representation of models vulnerability recurrence across five functional domains.
  • Figure 2: Overview of the FSTab Framework.
  • Figure 3: The Universality Gap. CDT consistently exceeds DVR, confirming vulnerabilities are inherent to the model.