Mastodawn

daniel:// stenberg://

Joshua Rogers sent us a *massive* list of potential issues in #curl that he found using his set of AI assisted tools. Code analyzer style nits all over. Mostly smaller bugs, but still bugs and there could be one or two actual security flaws in there. Actually truly awesome findings.

I have already landed 22(!) bugfixes thanks to this, and I have over twice that amount of issues left to go through. Wade through perhaps.

Credited "Reported in Joshua's sarif data" if you want to look for yourself

daniel:// stenberg://Sep 21, 2025

Here's a simple example where it reports that we considered a nread == 0 as reading a byte, when we shouldn't.

Christopher Snowhill Sep 21, 2025

@bagder Am I reading this right, this looks like it describes an sread function call, then displays a code snippet of the exact line and there's no sread call.

daniel:// stenberg://Sep 21, 2025

@chris the code snippet is off, but the description is 100% accurate

Christopher Snowhill Sep 21, 2025

@bagder Oh, wow. Then I guess I misjudged this. So glad someone managed to make an LLM pay off and provide good code analysis.

daniel:// stenberg://Sep 21, 2025

@chris look at this one, where the tool "knows" lots of details of the protocol neg details and can report this masterpiece on the curl telnet code:

Christopher Snowhill Sep 21, 2025

@bagder Yikes! What a find.

penguin42 Sep 21, 2025

@bagder @chris Oh wow - I've not seen AI get the underlying structure/protocol before.

Daniel Carosone Sep 21, 2025

@bagder a great example where tools can help humans, but it doesn't help when the humans are tools

Ondřej Kolín Sep 21, 2025

@bagder in the alt text the nread equals copyright 😅

daniel:// stenberg://Sep 21, 2025

@ondrejkolin yeah sorry, I did not proof read the alt text properly

Stefan Eissing Sep 21

@bagder well, if the socket read returns ok and 0 length, we received the first reply from the server, eg that it closed the connection on its end.

That is what the senantics of „first_byte“ is supposed to track. The var would have been better named „first_reply“.

tldr

The code was correct, the naming was wrong.🤷🏻‍♂️

daniel:// stenberg://Sep 21

@icing oh...

daniel:// stenberg://Oct 6

We have now landed more than 70 bugfixes based on Joshua's work.

daniel:// stenberg://Oct 10

now at more than 100 bugs fixed and we're not done yet...

Guilherme Rios Oct 10

@bagder did this affect or forced you to adapt curl's release cycle in any way?

I'm a huge fan, BTW, I think you are one of the best examples of leadership in the open source community.

daniel:// stenberg://Oct 10

@gasrios we normally do several hundred bugfixes per release cycle, so while this is more than normal it is not exceptional. Our release cycle is well established and I see no reason to alter it just because of this, no.

Jan Johannesson Oct 6

@bagder 😃 👍

Bjørn Göttler Oct 7

@bagder yay Joshua!!!

Wolf480pl Sep 21, 2025

@bagder
so this is what an AI can do when wielded by a competent human?

daniel:// stenberg://Sep 21, 2025

@wolf480pl yes! and this after three competent code analyzers already say "no issues found" ...

Brodie Robertson Sep 21, 2025

@bagder This is kind of happening in a lot of industries and should be expected, competent people will always be able to make the most of the tools they have available, but people who aren't will try to cut corners with new tools

daniel:// stenberg://Sep 21, 2025

@BrodieOnLinux indeed. In this case I'm almost blown away by the quality of some of this...

Ed Sep 21, 2025

@BrodieOnLinux @bagder reminds me of my Calculus class. We were first taught how to solve the problems the hard way then taught the shortcuts to solving problems. I see a big push to use LLMs as not learning the hard part first.

MrMagne Sep 21, 2025

@bagder Nice, what tools was he using ?

daniel:// stenberg://Sep 21, 2025

@MrMagne this is his (long) blog post on his work: https://joshua.hu/llm-engineer-review-sast-security-ai-tools-pentesters

Hacking with AI SASTs: An overview of ‘AI Security Engineers’ / ‘LLM Security Scanners’ for Penetration Testers and Security Teams

Note: This post is complemented by a presentation I gave at KazHackStan 2025. The slides (which were prepared fewer than 24 hours before the actual presentation) for that talk can be found here, or in pptx format here.

Joshua.Hu Joshua Rogers’ Scribbles

Jinna Sep 21, 2025

@bagder This is what I was hoping for when the ML stuff started taking off before the LLM apocalypse. Like, a model that can rummage through a given limited dataset like library source code or a car part shop's entire catalogue, and then be able to make inferences that are too laborious for a human. "Find me the cv joint boot that has these dimensions but isn't officially compatible."

But then what we got was this bullshit and it'll just make up a compatible part or function.

Ethan Black Oct 2

@bagder Your run-in with AI + curl reports was on the YouTube channel Low Level, did you see it? https://youtu.be/-uxF4KNdTjQ
Sorry you have to deal with all that, that has to be frustrating... glad you're encountering good use of AI too

literally the dumbest thing I've ever read

YouTube

@bagder I wonder how many issues the AI tooling will find *after* those bugfixes are applied. Hopefully fewer!

Jodie Cunningham Oct 3

@underlap @bagder oh, I imagine there are still plenty left to be found. :)

@bagder Is Joshua Rogers a regular or a new contributor to cURL. Are these findings landing a lot of money in his pocket?

daniel:// stenberg://Oct 3

@gnirre he's a new contributor, yes. So far none of his many reports have turned out to be a security vulnerability so we have not paid any money for them. We have merged lots of fixes though.

@bagder What's the average age of the issues in that list? I.e. what's the mean time these issues have existed?

daniel:// stenberg://Oct 10

@benbe I don't know, I haven't checked. From fairly new to reeeeeally old