Okay, gather round, because the internet just had one of those “wait, what?” moments. Curl — yes, that tiny command-line tool your parents have never heard of but absolutely depend on every single day — is about to ship a release that fixes a record-breaking pile of security holes. And almost all of them were found by AI. Yes, really. The robots are doing security audits now, and they’re disturbingly good at it.
This is the story of how Curl AI vulnerabilities became the most talked-about topic in open source this month, why Anthropic’s mysterious “Mythos” model turned out to be a bit of a diva, and what it all means for the software that quietly runs your phone, your PlayStation, your car, and probably your fridge.
Wait, what even is Curl?
Imagine you wanted to send a postcard. You write it, slap a stamp on it, and drop it in a mailbox. Curl is the digital version of that mailbox — except instead of postcards, it sends and receives anything: web pages, photos, software updates, emails, login tokens, your Spotify playlist syncing in the background. If two computers talk to each other on the internet, there is a very good chance Curl is the postman.
Daniel Stenberg, the very patient Swedish guy who has been maintaining Curl for 27 years (let that sink in), recently shared a frankly absurd statistic: Curl runs on more than 20 billion devices. That is more than two phones for every single human on Earth. It works on 110 operating systems and 28 different types of computer chip. Your smartphone has it. Your smart TV has it. Your game console has it. The traffic light at the end of your street? Probably has it.
So when Curl gets a security bug, the entire internet kind of flinches at the same time. Now imagine eleven bugs at once. In a single release. That’s where we are.
The “oh no” moment: 11 confirmed bugs and counting
Here’s what Stenberg posted on Mastodon (which is basically Twitter for people who like RSS feeds and small typography flexes): the current Curl release cycle isn’t even halfway done, and they’ve already confirmed eleven security vulnerabilities. Three more are sitting in the “we think these are real, give us a minute” pile. New bug reports are landing every single day.
To put that in perspective: the previous all-time record was eleven bugs, set back in 2016, after a professional security company called Cure 53 spent weeks combing through the code with a magnifying glass and a fistful of espresso shots. That was considered an extraordinary one-off event. The fact that Curl just tied that record halfway through a release — and is about to blow past it — is, in Stenberg’s own words, the most intense period of his entire maintainership.
One of these bugs is, apparently, the oldest vulnerability ever found in Curl. We’re talking a flaw that has been quietly sitting in the code for over two decades, completely invisible to every human who has ever read it. Until an AI walked in, read 200,000 lines of source code in an afternoon, and went “uh, you probably want to look at this.”
How does AI even find bugs in code?
Great question. Let me explain it the way I’d explain it to my mum.
Source code is just text. Long, complicated, ridiculously specific text, but text. For decades, finding bugs in code meant a human had to read every line, hold the whole program in their head at once, and notice that on line 4,712 a variable was used before it was set, which means a hacker could potentially trick the program into reading random bits of memory. Tedious. Slow. Boring. Easy to miss.
Large language models — the same kind of AI behind chatbots like Claude and ChatGPT — are, it turns out, weirdly good at this kind of pattern-matching at scale. They don’t get tired. They don’t skim. They don’t go “ugh, this function is 800 lines long, I’ll just trust it.” They read every line, every time, and flag anything that smells off. Then a human checks the suspicious bits. Most are false alarms. But every now and then? Jackpot.
This is what’s happening to Curl right now. Researchers are pointing AI tools at the codebase, and the AI is dredging up bugs that have been hiding in plain sight since before TikTok existed. Multiple different AI systems, multiple different research groups, all finding new stuff. It’s a goldrush.
Enter Mythos: Anthropic’s “elite” bug-hunter AI
Now we get to the spicy bit. Anthropic (the company that makes Claude, the AI that is technically helping write this very blog post — hi) recently announced an AI model called Mythos. According to Anthropic, Mythos is so good at finding security flaws in code that they decided not to release it publicly. Only a small, hand-picked group of companies gets access. Very mysterious. Very “members-only club with a velvet rope.” Very marketing, frankly.
To prove how impressive Mythos was, it was let loose on the Curl source code. It chewed through 178,000 lines of code. It analysed every function, every loop, every weird edge case. And then it produced its findings.
The grand total of vulnerabilities Mythos found in Curl?
One.
And it was a low-severity one. The software equivalent of finding a paperclip in the carpet. Yes, it’s there. Yes, it should probably be picked up. No, nobody is in real danger because of it.
Why Daniel Stenberg is not impressed
Stenberg, to his credit, was diplomatic-but-cutting on LinkedIn. His basic point: “the hype around Mythos so far has mostly been marketing. I see no evidence that this setup finds larger or more sophisticated problems than the other models found before Mythos showed up.”
Translation, in friend-speak: “You told everyone you were special. You showed up. You found one paperclip. Meanwhile, the AI tools we already had access to are finding actual landmines. Mythos is a distraction.” Ouch.
And honestly? He has a point. Every single one of the eleven confirmed vulnerabilities being patched in this Curl release was found by other AI tools. Not Mythos. The Mythos finding will be quietly bundled in alongside them, like an unpopular kid getting an invite to the party because his mum knows the host.
So… should you panic?
Short answer: no. Long answer: also no, but stay tuned.
This is actually good news. Curl is critical infrastructure. Bugs that sit undiscovered for 20 years are a ticking time bomb — someday, somebody bad would have found them first. The fact that AI is now systematically dredging up those long-buried flaws means a lot of dangerous stuff is getting fixed quickly, in the open, by good people. The internet is going to be measurably safer in six months because of what’s happening right now.
What you should do, in order of how lazy you’re feeling:
- Lazy mode: let your phone, laptop and devices auto-update. They will pick up the new Curl whenever your operating system pushes its next batch of updates. Done.
- Slightly less lazy: if you run a server, schedule a reboot window after the Curl release lands. Then run your usual update commands. Don’t wait three months.
- Properly responsible: if you ship software that bundles Curl (you’d know), keep an eye on the CVE list when the release notes drop. Patch the affected versions before the weekend.
The bigger picture: AI just changed open-source security forever
This isn’t just a Curl story. This is the new normal. Every widely-used open-source project — nginx, Linux, OpenSSL, Python, your favourite Discord bot library — is going to get the AI-audit treatment over the next year or two. A lot of decades-old bugs are about to get found. A lot of patches are going to ship. A lot of maintainers are going to have very stressful weekends.
The flip side: bad actors are pointing the exact same AI tools at the exact same code, looking for the exact same bugs, but with very different intentions. The race is on. And the only way the good guys win is if maintainers like Stenberg keep getting reports faster than attackers can build exploits. Which is why every responsible disclosure right now matters so much.
Mythos may or may not eventually live up to its marketing. But the broader truth is already obvious: AI-powered code auditing works. It works really, really well. And the internet, however slowly, is getting safer because of it.
Frequently Asked Questions
What is Curl in simple words?
Curl is a tiny program that sends and receives data over the internet. Whenever a device needs to fetch a file, talk to an API, download an update, or upload a photo, Curl (or the library version, libcurl) is very often the thing doing it. It is installed on over 20 billion devices worldwide.
How many Curl vulnerabilities are being patched?
At least eleven confirmed security vulnerabilities are already queued for the upcoming Curl release, with three more unconfirmed and new reports arriving daily. This ties the all-time record set in 2016 after a professional security audit — and the current release cycle isn’t even half over.
What is Mythos, the Anthropic AI model?
Mythos is an AI model developed by Anthropic that is specifically designed to find security vulnerabilities in source code. Anthropic claims it is so capable that they have restricted access to a select group of companies. When pointed at Curl’s 178,000 lines of code, however, it found just one low-severity issue — leading Curl maintainer Daniel Stenberg to call the Mythos hype mostly marketing.
Is my device safe to use right now?
Yes. None of the patched vulnerabilities have been reported as actively exploited in the wild, and the fixes will land in the normal update cycle for your phone, laptop, router and other devices. Keep automatic updates enabled and you will receive the patched Curl without lifting a finger.
How is AI finding bugs that humans missed for 20 years?
Large language models can read and pattern-match across enormous codebases without getting tired or distracted. They notice subtle inconsistencies — a variable used before it is set, a buffer that might overflow, a sanity check that is missing for one specific input — that a human reviewer would skim past on hour eight of a code review. They produce a lot of false alarms, but they also surface real bugs that have hidden for decades.
Will AI replace human security researchers?
Not really, no. AI is incredibly good at flagging suspicious patterns, but it still needs a human to verify whether each finding is a real vulnerability, write the patch, and reason about the impact. The current model is “AI dredges the river, humans pick out the actual gold.” That partnership is what is producing the record-breaking patch counts right now.
Related reading
- nginx 1.31.0 Released: Six CVEs Fixed — another recent example of security fixes landing in critical web infrastructure.
- Angie 1.11.5 Released: 5 Security Fixes Explained — the Russian nginx fork patches up HTTP/3, OCSP and more.
- What Is the BREACH Attack? How It Works and How to Stop It — a perfect example of a subtle, decades-old vulnerability hiding in plain sight.
- How to Install ModSecurity and OWASP CRS on NGINX — once the patches ship, a WAF is your second line of defence.