Vibe Coding Failures: When 'Accept All' Goes Wrong

beginner 10 min 📋 Copy-paste ready

Sources verified Dec 25, 2025

anti-patternvibe-codingsecuritybeginner

Scenario

Context: Developer using AI to build features quickly, accepting changes without reading diffs

Goal: Understand the real consequences of vibe coding through concrete failure examples

Anti-pattern: Accepting AI-generated code without reading the diff ('Accept All')

Tools: GitHub CopilotClaudeAny AI coding assistant

Conversation

What is Vibe Coding?

Andrej Karpathy coined 'vibe coding' in February 2025 to describe accepting AI changes without reading them. His exact words:

"I 'Accept All' always, I don't read the diffs anymore."

Critically, he also said: "It's not too bad for throwaway weekend projects."

This conversation shows what happens when vibe coding is applied to production work.

Example 1: Security Failure

A developer needs login functionality. They give a vague request and accept the result without review.

👤 You ✗ Bad example

Add login functionality to my Express app

Vague request with no security requirements mentioned.

🤖 AI

I'll add login functionality to your Express app.

[Creates 3 files with 200+ lines of code]

Done! I've added:

• POST /login endpoint
• JWT token generation
• Password comparison

You can test it with: curl -X POST /login -d '{"email": "user@example.com", "password": "password"}'

AI generates substantial code with no security review offered.

👤 You ✗ Bad example

Accept All

CRITICAL: User accepts 200+ lines without reading any of them.

What Was Missed

The accepted code contained:

1. SQL Injection: db.query(SELECT * FROM users WHERE email = '${email}')
2. Timing Attack: Password compared with === instead of constant-time
3. No Rate Limiting: Unlimited login attempts allowed
4. Weak JWT Secret: Hardcoded 'secret123'
5. Token Logging: JWT accidentally logged to console

These would have been caught with even a brief code review.

Example 2: Complexity Explosion

Developer encounters an error and asks AI to fix it repeatedly without understanding the code.

👤 You ✗ Bad example

I'm getting a TypeError. Fix it.

No context provided. Just copying the error message.

🤖 AI

I'll add a null check to fix the TypeError:

if (data && data.user && data.user.profile) {
  return data.user.profile.name;
}

AI adds defensive code without understanding root cause.

👤 You ✗ Bad example

Now I'm getting a different error. Fix it.

Pattern continues: error → fix → new error.

🤖 AI

I'll add a try-catch and fallback:

try {
  if (data && data.user && data.user.profile) {
    return data.user.profile.name || 'Unknown';
  }
} catch (e) {
  console.log('Error getting name');
  return 'Unknown';
}

Code becomes more complex, still not fixing root cause.

The Root Cause Was Never Found

The actual problem: the API was called before user login, returning null.

Proper fix:

await auth.waitForSession();
const data = await fetchUserData();

The vibe coding approach created:

• Deeply nested defensive code
• Silent failures that hide bugs
• Code that 'works' but is wrong
• Technical debt that compounds

The Evidence

Research confirms these aren't isolated incidents:

• Veracode 2025: AI-generated code introduced security flaws in 45% of tests
• Fast Company (Sep 2025): Reported 'vibe coding hangover' with 'development hell' consequences
• METR research: AI increases time spent on review, often exceeding coding gains

Key Takeaways

• Vibe coding is explicitly for 'throwaway weekend projects' only (Karpathy)
• Security-sensitive code requires proportional review time
• Repeated 'fix it' cycles without understanding indicate vibe coding
• AI can't fix bugs it doesn't understand - provide context
• Large diffs need more review time, not less

Try It Yourself

Prompt Template

Before accepting AI-generated code, ask:

1. What security implications does this change have?
2. What's the root cause of the problem I'm trying to solve?
3. Can I explain what this code does to someone else?

Copy template

Variations to Try

• For security-sensitive code: 'Review this for OWASP Top 10 vulnerabilities'
• For bug fixes: 'Explain the root cause before suggesting a fix'
• For large changes: 'Walk me through each file change'

Related Content

📖 Understanding AI Limitations 📖 Guardrails 📖 Calibrated AI Use 🏋️ debug hallucination

Sources

✓ Andrej Karpathy: Original definition ⓘ

×

Vibe Coding Definition (Original Tweet)

This tweet coined the term 'vibe coding' on February 3, 2025, defining it as a programming style where you 'forget that the code even exists' and 'Accept All' without reading diffs. Critically, Karpathy explicitly limits this to 'throwaway weekend projects' - a nuance often missed in subsequent coverage. The full quote shows he acknowledges the code grows 'beyond my usual comprehension' and he works around bugs rather than fixing them. This is essential context for our trust_calibration dimension: even the person who coined the term warns it's not for production work.

Key Findings:

• Coined term 'vibe coding' for accepting AI changes without reading
• Described code 'beyond your comprehension'
• Pattern of full trust in AI output

Credibility: high

Referenced by:

Vibe Coding Vibe Coding Failures: When 'Accept All' Goes Wrong

View Source ↗

✓ Veracode: Security flaw statistics ⓘ

×

October 2025 Update: GenAI Code Security Report

Veracode

Primary source for AI code security statistics: 45% overall failure rate, 72% for Java specifically. The 'bigger models ≠ more secure code' finding is critical for model_routing - security scanning is needed regardless of model. Java's 72% rate makes it the riskiest language for AI-generated code.

Key Findings:

• AI-generated code introduced risky security flaws in 45% of tests
• Java was the riskiest language with 72% security failure rate
• XSS (CWE-80) defense failed in 86% of relevant code samples

Credibility: high

Referenced by:

Calibrated Trust Vibe Coding Calibrated AI Use Guardrails Quick Reference: AI Code Checklists Debug a Hallucinating AI When AI Gives Garbage Output: A Systematic Troubleshooting Guide Vibe Coding Failures: When 'Accept All' Goes Wrong Security Review Workflow: AI-Assisted Code Auditing

View Source ↗

✓ Fast Company: Vibe coding consequences ⓘ

×

The vibe coding hangover is upon us

Fast Company

This article documents the real-world consequences of 'vibe coding' practices going wrong. The Tea App case study is particularly powerful: a dating app built with minimal oversight leaked 72,000 images including driver's licenses due to a misconfigured Firebase bucket - a basic security error that proper review would have caught. PayPal engineer Jack Hays calls AI-generated code 'development hell' to maintain. Stack Overflow data shows declining trust (46% distrust vs 33% trust) and positive sentiment falling from 70% to 60%. This is essential evidence for our trust_calibration and agentic_supervision dimensions.

Key Findings:

• Documented 'vibe coding hangover' phenomenon
• Teams in 'development hell' from unreviewed AI code
• Tea App data breach: 72,000 sensitive images leaked from unsecured Firebase

Credibility: medium

Referenced by:

Vibe Coding Failures: When 'Accept All' Goes Wrong

View Source ↗