Curl Creator Calls Out Anthropic’s Mythos Hype After AI Scan Yields One Low-Severity Flaw

Anthropic touted Mythos as too dangerous to release due to its security flaw-finding prowess. When it scanned curl, the AI flagged five issues. Review reduced that to one low-severity vulnerability. Daniel Stenberg calls the hype marketing while praising AI tools overall. The episode reveals both the promise and limits of current models.
Curl Creator Calls Out Anthropic’s Mythos Hype After AI Scan Yields One Low-Severity Flaw
Written by Lucas Greene

Daniel Stenberg sounded skeptical from the start. When Anthropic unveiled its new AI model in April and declared it dangerously good at spotting security flaws, the curl maintainer watched the headlines multiply. The company chose not to release Mythos publicly. It worried the tool might hand attackers an edge. Instead it funneled access through a program called Glasswing to a handful of select partners.

Stenberg secured an offer through the Linux Foundation’s Alpha Omega project. He signed the paperwork. Delays followed. In the end a third party with access ran the scan on curl’s master branch and forwarded the report. The date was May 6. The commit sat at 455bebc2c76223a1be26042f6d2393715c0df0cd. The model examined 178,000 lines of code across the src and lib directories.

The output arrived with five findings labeled as confirmed security vulnerabilities. Stenberg and his security team spent hours reviewing each one. Three turned out to be false positives that simply restated documented shortcomings in the API. One more was a plain bug. That left a single confirmed vulnerability. It carries low severity. The flaw will receive a CVE and ship with curl 8.21.0 in late June. Details stay under wraps until then. The issue, Stenberg noted, will not make anyone grasp for breath.

AI Tools Deliver Fixes, Yet Fall Short of the Hype

Mythos also flagged roughly 20 additional bugs. The descriptions landed with low false-positive rates. The curl team has begun fixing them one by one. Those results align with what Stenberg has seen from other AI systems over the past eight to ten months. Tools such as AISLE, Zeropath and OpenAI’s Codex Security prompted between 200 and 300 bug fixes in curl. A dozen or more of those fixes became published CVEs. Stenberg’s own account makes the pattern clear.

Curl hardly counts as an easy target. The project maintains 176,000 lines of C code, excluding blanks. That total exceeds the

And yet the model found nothing in those core areas. No memory-safety vulnerabilities appeared. The scan avoided automated static analysis tools. Instead it relied on hand-driven LLM subagents that read files in parallel and re-verified every claim against the source. The approach matches how human researchers now work. They prompt the models. They check the output. They iterate.

Stenberg drew a blunt conclusion. “My personal conclusion can however not end up with anything else than that the big hype around this model so far was primarily marketing,” he wrote. “I see no evidence that this setup finds issues to any particular higher or more advanced degree than the other tools have done before Mythos. Maybe this model is a little bit better, but even if it is, it is not better to a degree that seems to make a significant dent in code analyzing.” The Register reported the same assessment on May 11, quoting Stenberg directly.

But do not mistake his view for dismissal. AI code analyzers outperform traditional static tools by a wide margin. “AI powered code analyzers are significantly better at finding security flaws and mistakes in source code than any traditional code analyzers did in the past,” Stenberg stated. “All modern AI models are good at this now.” Projects that skip these tools hand adversaries extra time to discover and weaponize overlooked problems. The volume of high-quality security reports has surged because researchers now wield AI themselves.

These systems excel at certain tasks. They notice mismatches between code and comments. They test configurations that never run in normal builds. They understand behavior of third-party libraries and spot misuse. They question protocol violations. They summarize flaws clearly and sometimes propose patches, though the patches often need human correction. Still, they hunt for familiar error patterns. “AI tools find the usual and established kind of errors we already know about,” Stenberg explained. “It just finds new instances of them. We have not seen any AI so far report a vulnerability that would somehow be of a novel kind or something totally new.”

The curl project closed its bug bounty program earlier because of an influx of low-value AI-generated reports. Stenberg calls them slop. Yet he credits the better human-plus-AI submissions that still arrive. Future progress, he believes, will come from humans inventing smarter prompts and fresh angles of attack. Source code remains text. Most categories of security mistakes have already been catalogued. The challenge lies in locating fresh examples inside millions of lines.

Discussion on X and technical forums echoed these themes within hours of the blog post. One user observed that curl’s extreme scrutiny makes the single find impressive for the project rather than disappointing for the model. Another noted that weaker codebases could still yield large numbers of issues. Threads on Hacker News and Lobsters debated whether memory safety dominates vulnerability counts and what role language choice plays. The conversation remains lively because the stakes sit high. Curl runs everywhere. A serious flaw would ripple across the internet.

Stenberg plans to keep running scans with Mythos and competing tools. He has been promised direct access eventually. The team will continue until new reports stop appearing. Each round tightens the code further. The single low-severity CVE from this exercise will land soon. It will not dominate headlines. The larger story is quieter. AI has become another powerful instrument in the security toolbox. It augments human effort. It does not replace it. And the marketing claims, however loud, must still face the test of real code under real review.

Subscribe for Updates

AISecurityPro Newsletter

A focused newsletter covering the security, risk, and governance challenges emerging from the rapid adoption of artificial intelligence.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us