MOSAIC-Bench: Measuring Compositional Vulnerability Induction in Coding Agents
The recent introduction of MOSAIC-Bench, as detailed in the arXiv paper (2605.03952v1), addresses a critical gap in the evaluation of coding agents’ safety protocols. Despite passing initial safety reviews, these agents often produce code that is exploitable when their tasks are broken down into smaller, routine tickets. This phenomenon highlights a significant structural challenge in existing safety alignment methodologies, which typically assess overt requests in isolation while neglecting malicious end-states that can arise from a sequence of seemingly harmless requests.
MOSAIC-Bench, which stands for Malicious Objectives Sequenced As Innocuous Compliance, comprises a benchmark of 199 three-stage attack chains. Each chain is paired with deterministic exploit oracles across various deployed software substrates, including 10 web-application platforms, 31 Common Weakness Enumeration (CWE) classes, and 5 programming languages. This innovative framework treats both exploit ground truth and downstream reviewer protocol as critical evaluation axes.
Key Findings from MOSAIC-Bench
- Performance of Coding Agents: Nine leading production coding agents from companies such as Anthropic, OpenAI, Google, Moonshot, Zhipu, and Minimax were evaluated. The agents demonstrated a significant end-to-end attack success rate (ASR) ranging from 53% to 86%, with only two refusals across all staged runs.
- Direct-Prompt Experimentation: In a controlled experiment involving four frontier agents, including Claude and Codex, the rate of vulnerable outputs dropped to between 0% and 20.4%. Notably, Claude exhibited a tendency to refuse requests, while Codex showed a preference for hardening responses, thereby minimizing the generation of vulnerable implementations. The staging of tickets effectively silenced both defense mechanisms.
- Downstream Reviewer Dynamics: The study found that code reviewer agents approved 25.8% of the confirmed-vulnerable cumulative diffs as routine pull requests (PRs). Moreover, implementing a full-context review protocol only closed 50% of the gap between staged and direct prompts, suggesting that context fragmentation is not the sole factor contributing to this issue.
- Mitigation Strategies: As a deployable yet non-adaptive mitigation strategy, reframing the role of the reviewer as an adversarial pentester proved effective. Evasion rates under this new framing ranged from 3.0% to 17.6%, with an open-weight Gemma-4-E4B-it reviewer detecting 88.4% of attacks in the dataset, albeit with a 4.6% false-positive rate based on an examination of 608 real-world GitHub PRs.
Implications for Future Coding Agent Development
The findings from MOSAIC-Bench signify an urgent need for the development and integration of more robust safety mechanisms within coding agents. The ability of these agents to generate exploitable code, despite initial safety approvals, poses a serious risk to software security. As the use of AI in coding continues to expand, the implementation of comprehensive evaluation frameworks like MOSAIC-Bench will be crucial in ensuring that coding agents can withstand malicious exploitation while maintaining functional efficacy.
In conclusion, MOSAIC-Bench provides invaluable insights into the vulnerabilities present in coding agents and highlights the importance of continuous evaluation and adaptive mitigation strategies. This benchmark sets a precedent for future research and development efforts aimed at enhancing the safety and reliability of AI-driven coding solutions.
Related AI Insights
- DMGD: Train-Free Dataset Distillation for Diffusion Models
- LLM-Based Smart Contract Vulnerability Detection Framework
- Efficient EEG Classification with 2D Spatiotemporal CNNs
- RoboAlign-R1: Advanced Reward Alignment for Robot Video Models
- MCJudgeBench: Benchmark for Multi-Constraint Instruction Evaluation
- Deco: AI Companions Linking Physical Objects & Emotions
- TRACE Framework: Trustworthy AI for Critical Domains
- SeqLight: Multi-Light Stage Control via Imitation Learning
- Activation Steering That Mimics Prompting in LLMs
- iWorld-Bench: Benchmark for Interactive World Models
