Researchers using Anthropic’s Claude AI uncovered 22 security vulnerabilities in Mozilla Firefox during a two-week investigation, with 14 of those issues classified as high severity. Mozilla has already fixed most of the problems in Firefox 148, which shipped in February, while the remaining fixes will arrive in upcoming releases.
The discovery highlights how quickly AI tools can scan complex software projects and flag serious security issues that normally require extensive manual auditing. Anthropic researchers focused first on Firefox’s JavaScript engine before expanding their analysis to other parts of the browser’s large codebase, which millions of users rely on every day.
Anthropic shared details of the collaboration in a research post describing how its Claude Opus 4.6 model scanned thousands of files and submitted more than one hundred reports to Mozilla during the effort.
“Claude Opus 4.6 discovered 22 vulnerabilities over the course of two weeks,” Anthropic researchers wrote.
AI speeds up security discovery
According to the research team, Claude scanned nearly 6,000 C++ files while analyzing Firefox’s internal components and reported multiple crashes and weaknesses that required further review by engineers.
Mozilla eventually classified 22 of the submitted reports as valid vulnerabilities, including 14 high-severity flaws that could have created serious risks if attackers exploited them.
Anthropic researchers said AI tools now detect security weaknesses much faster than traditional methods because the models analyze large codebases continuously and generate test cases that reveal unexpected behavior.
Exploits remain difficult for AI
Even though Claude quickly identified vulnerabilities, the model struggled to convert those bugs into working exploits. Anthropic spent around $4,000 in API credits trying to generate proof-of-concept attacks and succeeded in only two cases.
“Opus 4.6 is currently far better at identifying and fixing vulnerabilities than at exploiting them,” the researchers explained.
That gap still gives defenders an advantage for now, although researchers believe AI-driven security analysis will play a much larger role in protecting open source software in the years ahead.
