What happens when you run a mature, battle-hardened open-source project through an AI security scanner that didn't exist two years ago? The maintainer of curl found out.
Curl is the command-line tool that handles data transfers across the internet - built into essentially every operating system, used on billions of devices, and maintained primarily by Daniel Stenberg since 1998. It is not a side project. Curl has a dedicated security team, a responsible disclosure process, and decades of manual code review behind it. Anthropic's automated scanning tool, Mythos, still found a confirmed vulnerability and approximately 20 additional bugs.
What Mythos Does Differently
Mythos is Anthropic's internal code security scanning system, built on Claude's ability to understand and reason about code. Traditional static analysis tools like Coverity or CodeQL work by pattern-matching - they flag code that looks like known vulnerability types. Fuzzing throws random or malformed inputs at a program to find crashes. Mythos takes a different approach: it reads code the way a security researcher would, following the logic, understanding intent, and identifying places where assumptions could fail under specific conditions.
That distinction matters for finding novel bugs. Pattern-matching catches known vulnerability classes but misses context-dependent logic errors. A model that understands what code is trying to do can spot the kind of subtle, situation-specific flaw that takes a skilled human days to find.
What One CVE in curl Actually Signals
One confirmed vulnerability in curl is not a catastrophe - the curl security team has a process for handling exactly this, and a fix will ship through normal channels. But finding anything new in code this mature and widely audited is a meaningful result.
The roughly 20 additional bugs are a mixed bag. Some may represent genuine security concerns. Others are likely logic errors or edge cases that affect reliability rather than create attack vectors. The exact breakdown hasn't been published.
The more interesting question is what it means that there are any new findings at all. Curl has been through multiple government-funded security audits, reviewed by professional researchers, and scrutinized by an active community for 28 years. Running a new automated tool over it and still surfacing real issues suggests AI-assisted security review catches different problem types than existing methods - not a replacement for human review, but a genuine addition to the process.
For developers maintaining their own codebases: if Mythos can find a confirmed vulnerability in curl, the odds are reasonable it would find something in production code that hasn't had anywhere near the same level of scrutiny. AI-assisted code scanning is worth treating as a serious part of the security workflow, not a demo novelty.