A cURL developer points out that Claude Mythos's claim of having 'high vulnerability detection capabilities' is an exaggeration.



Anthropic's AI '

Claude Mythos ,' which was announced as having a high ability to discover software vulnerabilities and therefore poses a risk of exploitation, has been dismissed by cURL developer Daniel Stenberg as 'hype and just a marketing strategy.' When cURL was analyzed by Claude Mythos, it did not find more vulnerabilities than other tools.

Mythos finds a curl vulnerability | daniel.haxx.se
https://daniel.haxx.se/blog/2026/05/11/mythos-finds-a-curl-vulnerability/

Claude Mythos analyzed 178,000 lines of cURL code and reported five vulnerabilities. However, after several hours of in-depth investigation by Stenberg and his colleagues, it turned out that three of the five vulnerabilities were simply issues already noted in the API documentation, and one was merely a bug. In effect, only one vulnerability remained. This vulnerability is considered low-severity and is expected to be fixed in the next version.

Stenberg had previously used several AI tools, including 'Codex Security,' to test for vulnerabilities in cURL, and had identified more than 12 vulnerabilities in total. Claude Mythos was advertised as having 'higher vulnerability detection capabilities' than these AI tools, so Stenberg had expected to find a huge number of vulnerabilities, but he says it was 'a disappointment.'

OpenAI announces 'Codex Security,' an AI agent that automates vulnerability discovery, verification, and remediation - GIGAZINE



According to Stenberg, Claude Mythos's report included very detailed descriptions and explanations of approximately 20 bugs in addition to the vulnerability. There were very few false positives among these bugs, and Stenberg assessed that 'they appear to have been detected to a fairly high standard.'

However, since no evidence was found that it could detect vulnerabilities at a higher level than other tools prior to Claude Mythos, Stenberg assessed it as 'somewhat better, but even so, not so much better that it would bring about a major change in code analysis,' and pointed out that Claude Mythos is not particularly 'dangerous.' However, he added that this is only the result of analyzing one source code repository, so 'it may be better in other areas.'



Stenberg believes that AI vulnerability detection tools are far superior to traditional tools, and that analyzing a project with AI tools for the first time would uncover a vast number of bugs and vulnerabilities. Stenberg stated, 'Not analyzing your code with AI tools, including Claude Mythos, means giving adversaries and attackers the time and opportunity to discover and exploit vulnerabilities that you missed.'

Related Posts:

in AI, Posted by log1p_kr