Document Open Access Logo

Can Open Large Language Models Catch Vulnerabilities?

Authors Diogo Gaspar Lopes , Tiago Espinha Gasiba , Sathwik Amburi , Maria Pinto-Albuquerque

PDF

File

Thumbnail PDF
PDF
OASIcs.ICPEC.2025.4.pdf
  • Filesize: 0.69 MB
  • 14 pages

Document Identifiers

Subject Classification

ACM Subject Classification
  • Security and privacy → Software security engineering
  • Computing methodologies → Machine learning
  • Software and its engineering → Software testing and debugging
Keywords
  • Large Language Models (LLMs)
  • Secure Coding
  • CWE Classification
  • Machine Learning
  • Software Vulnerability Detection
  • Artificial Intelligence
  • Code Analysis
  • Big-Vul Dataset

Metrics

  • Access Statistics
  • Total Accesses (updated on a weekly basis)
    0
    PDF Downloads
    0
    Metadata Views

Abstract

As Large Language Models (LLMs) become increasingly integrated into secure software development workflows, a critical question remains unanswered: can these models not only detect insecure code but also reliably classify vulnerabilities according to standardized taxonomies? In this work, we conduct a systematic evaluation of three state-of-the-art LLMs - Llama3, Codestral, and Deepseek R1 - using a carefully filtered subset of the Big-Vul dataset annotated with eight representative Common Weakness Enumeration categories. Adopting a closed-world classification setup, we assess each model’s performance in both identifying the presence of vulnerabilities and mapping them to the correct CWE label. Our findings reveal a sharp contrast between high detection rates and markedly poor classification accuracy, with frequent overgeneralization and misclassification. Moreover, we analyze model-specific biases and common failure modes, shedding light on the limitations of current LLMs in performing fine-grained security reasoning.These insights are especially relevant in educational contexts, where LLMs are being adopted as learning aids despite their limitations. A nuanced understanding of their behaviour is essential to prevent the propagation of misconceptions among students. Our results expose key challenges that must be addressed before LLMs can be reliably deployed in security-sensitive environments.

Cite As Get BibTex

Diogo Gaspar Lopes, Tiago Espinha Gasiba, Sathwik Amburi, and Maria Pinto-Albuquerque. Can Open Large Language Models Catch Vulnerabilities?. In 6th International Computer Programming Education Conference (ICPEC 2025). Open Access Series in Informatics (OASIcs), Volume 133, pp. 4:1-4:14, Schloss Dagstuhl – Leibniz-Zentrum für Informatik (2025) https://doi.org/10.4230/OASIcs.ICPEC.2025.4

Author Details

Diogo Gaspar Lopes
  • Instituto Universitário de Lisboa (ISCTE-IUL), Portugal
Tiago Espinha Gasiba
  • Siemens AG, Munich, Germany
Sathwik Amburi
  • Siemens AG, Munich, Germany
Maria Pinto-Albuquerque
  • Instituto Universitário de Lisboa (ISCTE-IUL), ISTAR, Portugal

Funding

This work is partially financed by Portuguese national funds through FCT – Fundação para a Ciência e Tecnologia, I.P., under the projects FCT UIDB/04466/2020 and FCT UIDP/04466/2020. Furthermore, Maria Pinto-Albuquerque thanks the Instituto Universitário de Lisboa and ISTAR, for their support.

References

  1. Tom Brown, Benjamin Mann, Nick Ryder, Melanie Subbiah, Jared D Kaplan, Prafulla Dhariwal, Arvind Neelakantan, Pranav Shyam, Girish Sastry, Amanda Askell, Sandhini Agarwal, Ariel Herbert-Voss, Gretchen Krueger, Tom Henighan, Rewon Child, Aditya Ramesh, Daniel Ziegler, Jeffrey Wu, Clemens Winter, Chris Hesse, Mark Chen, Eric Sigler, Mateusz Litwin, Scott Gray, Benjamin Chess, Jack Clark, Christopher Berner, Sam McCandlish, Alec Radford, Ilya Sutskever, and Dario Amodei. Language models are few-shot learners. In H. Larochelle, M. Ranzato, R. Hadsell, M.F. Balcan, and H. Lin, editors, Advances in Neural Information Processing Systems, volume 33, pages 1877-1901. Curran Associates, Inc., 2020. URL: https://proceedings.neurips.cc/paper_files/paper/2020/file/1457c0d6bfcb4967418bfb8ac142f64a-Paper.pdf.
  2. DeepSeek-AI et al. Deepseek-r1: Incentivizing reasoning capability in llms via reinforcement learning, 2025. URL: https://arxiv.org/abs/2501.12948.
  3. Yangruibo Ding, Yanjun Fu, Omniyyah Ibrahim, Chawin Sitawarin, Xinyun Chen, Basel Alomair, David Wagner, Baishakhi Ray, and Yizheng Chen. Vulnerability Detection with Code Language Models: How Far are We? In 2025 IEEE/ACM 47th International Conference on Software Engineering (ICSE), pages 1729-1741, Los Alamitos, CA, USA, May 2025. IEEE Computer Society. URL: https://doi.org/10.1109/ICSE55347.2025.00038.
  4. Tiago Espinha Gasiba, Kaan Oguzhan, Ibrahim Kessba, Ulrike Lechner, and Maria Pinto-Albuquerque. I'm Sorry Dave, I'm Afraid I Can't Fix Your Code: On ChatGPT, CyberSecurity, and Secure Coding. In Ricardo Alexandre Peixoto de Queirós and Mário Paulo Teixeira Pinto, editors, 4th International Computer Programming Education Conference (ICPEC 2023), volume 112 of Open Access Series in Informatics (OASIcs), pages 2:1-2:12, Dagstuhl, Germany, 2023. Schloss Dagstuhl - Leibniz-Zentrum für Informatik. URL: https://doi.org/10.4230/OASIcs.ICPEC.2023.2.
  5. Jiahao Fan, Yi Li, Shaohua Wang, and Tien N. Nguyen. A C/C++ Code Vulnerability Dataset with Code Changes and CVE Summaries. In Proceedings of the 17th International Conference on Mining Software Repositories (MSR), pages 508-512. ACM, 2020. URL: https://doi.org/10.1145/3379597.3387501.
  6. Mohamed Amine Ferrag, Ammar Battah, Norbert Tihanyi, Ridhi Jain, Diana Maimuţ, Fatima Alwahedi, Thierry Lestable, Narinderjit Singh Thandi, Abdechakour Mechri, Merouane Debbah, and Lucas C. Cordeiro. Securefalcon: Are we there yet in automated software vulnerability detection with llms?, 2025. URL: https://doi.org/10.1109/TSE.2025.3548168.
  7. Avishree Khare, Saikat Dutta, Ziyang Li, Alaia Solko-Breslin, Rajeev Alur, and Mayur Naik. Understanding the effectiveness of large language models in detecting security vulnerabilities, 2024. URL: https://arxiv.org/abs/2311.16169.
  8. MITRE Corporation. Common Weakness Enumeration (CWE), 2024. URL: https://cwe.mitre.org.
  9. Maciej Pankiewicz and Ryan S. Baker. Large language models (gpt) for automating feedback on programming assignments. 2023. URL: https://arxiv.org/abs/2307.00150.
  10. Hammond Pearce, Baleegh Ahmad, Benjamin Tan, Brendan Dolan-Gavitt, and Ramesh Karri. Asleep at the keyboard? assessing the security of github copilot’s code contributions. 2021. URL: https://arxiv.org/abs/2108.09293.
  11. Nishat Raihan, Mohammed Latif Siddiq, Joanna C. S. Santos, and Marcos Zampieri. Large language models in computer science education: A systematic literature review. In Proceedings of the 56th ACM Technical Symposium on Computer Science Education (SIGCSE TS 2025), pages 938-944, Pittsburgh, PA, USA, 2025. ACM. URL: https://doi.org/10.1145/3641554.3701863.
  12. Meta AI Research et al. The llama 3 herd of models, 2024. Accessed: 2025-05-09. URL: https://ai.meta.com/research/publications/the-llama-3-herd-of-models/.
  13. Ze Sheng, Zhicheng Chen, Shuning Gu, Heqing Huang, Guofei Gu, and Jeff Huang. Llms in software security: A survey of vulnerability detection techniques and insights. 2025. URL: https://arxiv.org/abs/2502.07049.
  14. Mistral AI Team. Codestral 25.01: A new sota lightweight and fast coding ai model, 2025. Acesso em: 9 mai. 2025. URL: https://mistral.ai/news/codestral-2501.
  15. Priyan Vaithilingam, Tianyi Zhang, and Elena L. Glassman. Expectation vs. Experience: Evaluating the Usability of Code Generation Tools Powered by Large Language Models. In CHI Conference on Human Factors in Computing Systems Extended Abstracts, pages 1-7, New Orleans LA USA, 2022. ACM. URL: https://doi.org/10.1145/3491101.3519665.
  16. Andrew Walker, Michael Coffey, Pavel Tisnovsky, and Tomas Cerny. On limitations of modern static analysis tools. 621:577-586, 2020. URL: https://doi.org/10.1007/978-981-15-1465-4_57.
  17. Jiasheng Zheng, Boxi Cao, Zhengzhao Ma, Ruotong Pan, Hongyu Lin, Yaojie Lu, Xianpei Han, and Le Sun. Beyond correctness: Benchmarking multi-dimensional code generation for large language models. 2024. URL: https://arxiv.org/abs/2407.11470.
  18. Kyrie Zhixuan Zhou, Zachary Kilhoffer, Madelyn Rose Sanfilippo, Ted Underwood, Ece Gumusel, Mengyi Wei, Abhinav Choudhry, and Jinjun Xiong. "the teachers are confused as well": A multiple-stakeholder ethics discussion on large language models in computing education. arXiv preprint arXiv:2401.12453, 2024. URL: https://arxiv.org/abs/2401.12453.
  19. Xin Zhou, Duc-Manh Tran, Le Thanh, Ting Zhang, Ivana Irsan, Joshua Sumarlin, Xuan Bach D Le, and David Lo. Comparison of static application security testing tools and large language models for repo-level vulnerability detection. July 2024. URL: https://doi.org/10.48550/arXiv.2407.16235.
Any Issues?
X

Feedback on the Current Page

CAPTCHA

Thanks for your feedback!

Feedback submitted to Dagstuhl Publishing

Could not send message

Please try again later or send an E-mail
© 2023-2025 Schloss Dagstuhl – LZI GmbH About DROPS Imprint Privacy Contact