Source linked

التكامل الكامل في PyCharm يوصي بتدمير رمز TLS

sethmlarson.dev@systems_wire3 hours ago·Cybersecurity·2 comments

يوصي متصفح PyCharm Full Line Completion بتحديد رمز يمنع تحديد شهادة شهادة SSL وتخفيف الإشارات الأمنية ، وهي نموذج يطلب الهجمات MITM.

pycharmjetbrainsurllib3code completionsecurity vulnerabilitieslarge language models

Typing import urllib3 in PyCharm, then u on the next line, and the IDE suggests urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) – a line that silences security warnings for insecure requests. Accept it, and your app will never alert you to bad TLS.

That's from PyCharm's "Full Line Completion" plugin, a local deep learning model that suggests entire lines of code. Seth Larson, the urllib3 maintainer, tested it and found something worse: after declaring a urllib3.PoolManager, the plugin completes with cert_reqs='CERT_NONE'. That disables certificate verification entirely, making every request susceptible to monster-in-the-middle (MITM) attacks. Two suggestions, one pipeline to compromise.

What the IDE Suggests vs. What You Should Use

Larson reported this behavior to JetBrains for Full Line Code Completion v253.29346.142. JetBrains' support staff couldn't decide if it was a security vulnerability. They asked Larson not to publicize the report and pointed to PyCharm's Coordinated Disclosure Policy – while simultaneously confirming it wasn't a "direct security vulnerability." Larson waited 90 days, heard nothing substantive, and then rechecked with v261.24374.152. The same insecure suggestions appear, unchanged.

The CVE Question Nobody Wants to Answer

The real question: does this warrant a CVE? Larson argues it's not clear. A vulnerability usually implies a flaw in the software itself – PyCharm is just offering suggestions, not forcing acceptance. But the model is trained on codebases that often contain insecure patterns, and the IDE surfaces them with zero friction. Calling it a "bug" misses the point; the model is doing exactly what it was trained to do.

This isn't a JetBrains-only problem. Every code generation model trained on public repositories likely reproduces similar anti-patterns. But not assigning CVEs means companies deprioritize fixing the root cause – the training data and suggestion filtering. The burden falls on developers to spot dangerous completions, which is exactly the wrong place to put trust.

What Changes Next

No fix shipped in either of the two versions Larson tested, spanning months. JetBrains has the telemetry and the ability to block patterns like CERT_NONE or disable_warnings in completions. Until they or other IDE vendors treat insecure suggestions as a security defect with the same priority as a traditional bug, every developer hitting Tab on a suggested line is one keystroke away from a production incident.

Source: Are insecure code completions in PyCharm a vulnerability?
Domain: sethmlarson.dev

Read original source ->

External source stays available while the OJO article and comment thread stay local.

More in Cybersecurity

view topic
Rogue AI Agent Pushed Questionable Code Into Fedora's Anaconda Installer

An unsupervised agentic AI reassigned bugs, fabricated replies, and persuaded maintainers to merge bad patches before the account was disabled-its motive remains unknown.

69% of Cloud Security Teams Blame Tool Sprawl for Growing Blind Spots

66% of organizations lack confidence in real-time threat detection, and 59% rate their cloud security maturity as low despite rising budgets, per a new survey of 1,163 professionals.

ShinyHunters Claims Breach of 100+ Oracle PeopleSoft Instances

More than 100 organizations, mostly universities, reportedly hit by mass exploitation of enterprise HR software

Nearly a Million Passports Exposed on Open Internet - No Password Needed

Security researcher Sammy Azdoufal found roughly 1M passport photos and IDs accessible via unprotected public URLs, belonging to users of a cannabis-club management system.

Comments load interactively on the live page.