The World's Most Ubiquitous Software Faces an AI‑Driven Bug Tsunami

cURL prevalence

cURL and libcurl are installed on more than 300 billion devices, spanning Linux, Windows, iOS, Android, macOS and virtually all IoT hardware. The tool supports almost every network protocol, including HTTP, HTTPS, FTP, FTPS, Gopher, IMAP, Kerberos, LDAP, MQTT, POP3, RTSP, SCP, SMTP and SMB.

AI‑driven vulnerability reporting surge

Since the start of the year, AI‑assisted vulnerability reports to the cURL project have increased to four‑to‑five times the 2024 rate and twice the 2025 rate, averaging over one report per day. The reports are highly detailed, lengthy, and expose deep‑seated bugs that have accumulated over decades.

Maintenance capacity

The core maintenance team is extremely small, essentially consisting of Daniel Stenberg working full‑time since 2019. He originally planned a 50‑hour work week but now adds nightly and weekend hours, leading to personal burnout.

Funding disparity

Despite cURL’s ubiquity, the project receives little financial support, in contrast to high‑profile open‑source incidents such as Log4j that attracted substantial corporate funding after major security events.

Anthropic Mythos model impact

Anthropic released the Mythos model in April. Within six weeks it discovered more than 20 000 vulnerabilities in critical system software; roughly 25 % were classified as high‑severity or critical.

OpenBSD: a 27‑year‑old vulnerability.

FFmpeg: a 16‑year‑old vulnerability.

Linux kernel: a chain of vulnerabilities that enable privilege escalation from normal user to full control.

Because of dual‑use risk, Anthropic limits access to Mythos through a restrictive “Project Glasswing” alliance that includes only a few large technology companies and key open‑source projects.

Community response

Open‑source maintainers overwhelmed by the volume of AI‑generated reports have asked for slower disclosure rates, citing insufficient manpower and time to address the findings.

Proposed workflow

Future workflow envisioned: write code → audit code → discover bugs → fix bugs → verify fixes, with AI eventually automating most of these steps. Humans would shift to roles as rule‑makers and final arbiters, overseeing AI‑driven processes.

Code example

来源丨经授权转自 码农翻身（ID：coderising）
作者丨liuxin