CodeAnt AI (YC W24)

Our AI Code Review just found a CVSS 10.0 vulnerability. CVE-2026-29000 The highest possible severity. It had been sitting in pac4j, a widely used Java authentication library, for nearly 6 years. No static scanner found it. No human reviewer found it. Our AI code reviewer did. This was a full authentication bypass caused by a logic gap between the JWT spec and the implementation in pac4j-jwt. What this means: An attacker can craft a malicious token and log in as any user, even admin. no password no credentials no stolen session They only need the server’s RSA public key, which is public by design. Root cause: the library accepts a class of token that should never bypass signature verification. When it receives one, it skips the signature check entirely and builds an authenticated session from attacker-controlled claims. Full technical write-up + working PoC below. We don’t publish random benchmark claims. We publish real world threats. This is one of 87 vulnerabilities we’ve found so far, including issues affecting packages with 500M+ weekly downloads. Kudos to @VulnCheckAI team for helping expedite the CVE assignment process.

Martian just released the industry's first independent code review benchmark. 12+ tools evaluated on real security patches. CodeAnt AI: #1

@CodeAntAI quietly put up some of the strongest numbers in our offline benchmark: top 3 across the board, and #2 on critical risk issues, medium/large PRs, and TypeScript. A lot of range. codereview.withmartian.com/?model=anthrop…

We've disclosed 84 zero-day vulnerabilities in the last 1.5 months. This is what we learned. Every security tool you use runs on the same backbone CVEs and the NVD database. Your tool pulls those CVEs, scans your code, and tells you if you're affected. That's it. That's the whole game. But there's no single authority enforcing when vulnerabilities get disclosed. Google says 90 days. Some says 120 days. And 67% of medium and low vulnerabilities aren't even reported as security issues, they are filed as performance fixes. Severity downgraded. Buried in changelogs. Attackers don't wait for CVEs. They don't care if it's disclosed or not. Offensive security is growing like crazy. If a vulnerability exists, someone will find it and weaponize it. Your app is exposed. Your dashboard shows green. We're going to change it!

@amartya_jha_ this is crazzy, two critical vulnerabilities published in National Vulnerability Database in <7 days 🔥🔥

2 weeks ago, I was debugging something @CodeAntAI code reviewer flagged. It flagged a regex issue in the simple-git repo. 12.4 million weekly downloads. The flag: "This regex guards a case-insensitive system using case-sensitive matching." I almost scrolled past it. I didn't. One hour later I had a working remote code execution POC ready. Here's the thing, simple-git had already fixed this. Twice. CVE-2022-25912. CVE-2022-25860. Both attempted to block the dangerous `ext::` Git protocol using a regex. - The regex used [a-z]. Case-sensitive. - Git config keys are case-insensitive. So protocol.allow=always → blocked. PROTOCOL.ALLOW=always → full remote code execution. The fix that shipped? One character. Adding '/i' to the regex flag. That's the entire diff. 73% of all simple-git installs, roughly 9 million downloads per week, are still running the vulnerable versions right now. The advisory hasn't hit NVD yet. Which means every scanner in your stack is currently blind to it. Snyk. SonarQube. Checkmarx. All blind. Not because they’re bad products. Because they rely on known CVEs. If the CVE doesn’t exist yet, the pattern doesn’t exist yet. This is CVE-2026-28292. CVSS 9.8 Critical. Five days before this, we disclosed CVE-2026-29000. CVSS 10.0. Authentication bypass in pac4j-jwt. Different ecosystem. Different vulnerability class. Rule-based scanners ask: "Does this match a known bad pattern?" AI code review asks: "Does this code do what it's supposed to do?" A case-sensitive regex guarding a case-insensitive syste, isn't a known pattern. It's a logic gap. A spec vs implementation mismatch. That's exactly what CodeAnt AI catches, and exactly what everything else misses. So far we've filed: - 100+ vulnerabilities - Across npm, PyPI, Maven, NuGet - 1.85B monthly downloads affected Patch ≠ Fix. Massive respect to Steve (steveukx), 4 days from report to patch. Open-source maintainers are the unsung backbone of this entire industry. If you use simple-git: npm install simple-git@latest. Do it now. Full writeup in the comments. 👇

[Raw Video] On Saturday, Feb 28th, two of our engineers were running @CodeAntAI’s code reviewer against open-source packages. It stopped on pac4j-jwt. One of the most widely used Java authentication libraries in the world. The finding made them go silent. An attacker can log in as admin. As any user. With just the server's public key. The key that's designed to be public. No password. No secrets. No hacking. Nothing. Full authentication bypass. The root cause? A single bad null check. One misplaced null check meant the entire signature verification gets silently skipped. CVE-2026-29000. CVSS 10.0 🔥 We're doing responsible outreach to every affected project. There are a lot of them. We're also launching a free scanner where you can check your entire codebase to see if you're affected.

@chhinna00 raw video, see how we found this vulnerability! youtube.com/watch?v=Ym1vj7…

We recently detected a CVSS 10 zero-day vulnerability. Vulnerabilities are endless, every day new CVEs pop up. We're running CodeAnt at scale across a majority of open source packages to find vulnerabilities that have been missed for years. Doing this at scale means running long-horizon agents across thousands of repos. Building a reliable harness for that is hard. Here are some of the problems we're solving. 🧵

@cyb3rops raw video, see how we found this vulnerability!

This classifies as a critical vulnerability codeant.ai/security-resea…

Yesterday we published CVE-2026-29000, a CVSS 10 authentication bypass in pac4j-jwt. An attacker with just the server's RSA public key can forge a JWT and log in as admin. No secrets needed. No user interaction. The key that's designed to be public is enough. That was the finding. Today we did something harder: we mapped the blast radius. We scanned every downstream dependent of pac4j-jwt across Maven Central, GitHub, and build files across the ecosystem. Here's what we found: → 1000+ projects identified (just in opensource) → Including enterprise SSO servers used by universities and governments → Including health research infrastructure → Including national archival systems The two currently maintained CAS release branches, 7.2.x and 7.3.x are both affected. CAS is the SSO server used by hundreds of institutions worldwide. We're not publishing the list. That's a target menu. Instead we're privately notifying every affected maintainer this week, with the CVE details, the patched versions, and our steps-to-verify guide. Our job is to help them fix it, not to help attackers find them. 17 projects have already patched. CAS master branch has updated to 6.3.3. We'll publish the full patch adoption curve once maintainers have had time to respond.

225 Maven artifacts and 131 public GitHub repositories depend on pac4j-jwt, a library with a CVSS 10.0 authentication bypass (CVE-2026-29000), found by our AI code reviewer, that allows attackers to impersonate any user including admins using only the server's public key. We are right now reaching out to the maintainers ASAP to get this fixed.

read the full exploit here - codeant.ai/security-resea…

Our AI Code Review just found a CVSS 10.0 vulnerability. CVE-2026-29000 The highest possible severity. It had been sitting in pac4j, a widely used Java authentication library, for nearly 6 years. No static scanner found it. No human reviewer found it. Our AI code reviewer did. This was a full authentication bypass caused by a logic gap between the JWT spec and the implementation in pac4j-jwt. What this means: An attacker can craft a malicious token and log in as any user, even admin. no password no credentials no stolen session They only need the server’s RSA public key, which is public by design. Root cause: the library accepts a class of token that should never bypass signature verification. When it receives one, it skips the signature check entirely and builds an authenticated session from attacker-controlled claims. Full technical write-up + working PoC below. We don’t publish random benchmark claims. We publish real world threats. This is one of 87 vulnerabilities we’ve found so far, including issues affecting packages with 500M+ weekly downloads. Kudos to @VulnCheckAI team for helping expedite the CVE assignment process.

@CodeAntAI's code reviewer just found a zero day security vulnerability, with a CVSS score of 10.0 (maximum) CVE-2026-29000. Published today. A complete authentication bypass in pac4j-jwt, one of the most widely used Java auth libraries. An attacker can craft a token and log in as any user, including admin. The only thing they need? The server's RSA public key. The one that's public by design. The root cause: the library trusts a type of token that the JWT spec technically allows but that should never bypass signature verification. When it receives one, it skips the entire signature check and builds a fully authenticated session from whatever the attacker put in the token. Not a human researcher. Not a pen tester. An AI code reviewer. We don't publish benchmarks. We publish CVEs. This is one of 87, zero day vulnerabilities we published, more dropping soon! Kudos to @VulnCheckAI for expediting the CVE assignment. @CVEnew

@Aiswarya_Sankar @Ah1re_Durgesh @chhinna00 are you serious 😂

@Ah1re_Durgesh @CodeAntAI @chhinna00 We actually did run it with @CodeAntAI as well - 7th for now but almost!

@CodeAntAI has to be there in the top 5. @chhinna00 hope i am right😅

We just broke one of the most popular Java auth libraries with nothing but a public key. Full admin access. Zero credentials needed. No private key, no shared secret, just your public key to become admin. We reported it, worked with the maintainer, patched across 3 versions in 72 hours. Kudo to Jérôme Leleu, who moved incredibly fast on the disclosure. Full exploit and PoC ↓

Just landed in bangalore. Hosting 200+ engineers & eng leaders in one room tonight, this is going to be fun!

We're in India for a week Delhi Dev Connect wrapped Bangalore next

Delhi 🤝 @CodeAntAI = 🔥 next one in Bangalore, 20th Jan - luma.com/7a8zcndk

2025: shipped fast, broke limits, and partied harder Goa with our APAC crew was unreal Love this team ❤️