What moved the needle in 2025? Engineering leaders from Salesforce, Snyk & Port share insights →

Watch Now
Log in
Log in
Log in
Book a Demo
Get Started
805.2K 586.4K 9.7K

Our response to a recent vulnerability disclosure: actions taken & continuous improvement

Qodo Team

Qodo Team December 30, 2025 1 min

Summary

  • Whitehat security researchers have uncovered a vulnerability in Qodo that could allow remote code execution (RCE).
  • At this stage of our investigation, we have found no indication that this vulnerability has been exploited in the wild nor has any evidence of customer data being accessed, exposed, or otherwise compromised.
  • We have remediated the vulnerability in Qodo (and in the PR Agent open-source project, previously maintained by Qodo).  No action by our users is required.
  • We are working hand-in-hand with the security research firm to resolve the issues identified and have brought in a leading cybersecurity services partner to further support this process.

Vulnerability Analysis

On disclosure from a white-hat security researcher, we confirmed an RCE-class vulnerability in Qodo’s Git integration. In the course of demonstrating impact, the researcher accessed sensitive credentials.

We appreciate the researcher’s responsible disclosure and collaboration.

Remediation actions

  1. Credential revocation & rotation
  2. Patches & hardening
  3. Containment & investigation

Why this matters

Customer trust is foundational to Qodo. Incidents like this are rare, but when they happen, our obligation is to act fast, be transparent, and come out safer. We’re using this moment to drive systemic improvements and broad security awareness. Earning customer trust is a daily practice, not a statement so we design for least privilege, verify continuously, and invite independent validation. Our goal is simple: protect customer data by default and prove it with clear evidence.

Continuous Improvement

  • Independent security partner engagement: We have brought in a top cybersecurity services firm to validate our remediation, recommend additional controls, and help us implement a more defense-in-depth posture for our cloud environment.
  • Forensic Investigation: We are establishing a forensic understanding and validation of the findings presented by the white hat ethical hacker, including the identification of any unauthorized access or activity.
  • Hiring full-time application security: (AppSec) resources dedicated to our platform and SDLC.

Acknowledgement

We thank the reporting researcher for the professional, responsible disclosure and collaboration throughout remediation.

If you have questions or would like to discuss this in more detail, please reply to this email or contact us at [email protected].

Start to test, review and generate high quality code

Get Started

More from our blog

General
6 min

The missing quality layer: Qodo’s AI code review platform

Elana Krasner

Elana Krasner Dec 02, 2025

Read more
General
1 min

Security at Qodo in 2026: Our commitment, recent learnings, and what’s next

Qodo Team

Qodo Team Dec 30, 2025

Read more
Code Reviews Technology
5 min

Why Your AI Code Reviews Are Broken (And How to Fix Them)

Nnenna Ndukwe

Nnenna Ndukwe Dec 29, 2025

Read more
Browse the blog