When "Correct" Is Not Safe: Can We Trust Functionally Correct Patches Generated by Code Agents?

Summary

This paper investigates a security flaw in code-fixing agents powered by large language models, like ChatGPT. These agents are becoming common for automatically fixing bugs in code, but current testing focuses only on whether the fix *works*, not whether it introduces new security problems.

What's the problem?

The main issue is that these code agents can create fixes that pass all the tests, meaning they functionally correct the bug, but still contain security vulnerabilities. This is called a 'Functionally Correct yet Vulnerable' (FCV) patch. Attackers could intentionally create these vulnerable fixes, or they could be introduced accidentally by the agent itself during the fixing process. Current methods for evaluating these agents don't detect these hidden security risks.

What's the solution?

The researchers developed a method called 'FCV-Attack' to demonstrate this problem. They didn't need to know how the code agent worked internally – they just sent it bug-fixing requests. They tested several popular language models (like ChatGPT and Claude) combined with different agent frameworks (like SWE-agent and OpenHands) on a standard set of coding challenges. They found that, with just one carefully crafted request, they could get the agents to create vulnerable fixes a significant percentage of the time, for example, around 40.7% of the time with a specific model and framework combination.

Why it matters?

This research highlights a serious, previously overlooked security threat with automated code-fixing tools. Because these agents are increasingly used in real-world software development, it’s crucial to develop ways to test for and prevent these vulnerable fixes. Simply ensuring a fix works isn't enough; it also needs to be secure, and current evaluation methods aren't doing that.