The real problems with vibe coding (and what to do about them)

Let's say you built an app last weekend. You told Cursor or Bolt or Lovable what you wanted, and it gave you something that actually works. You clicked around, showed a few people, maybe even posted a demo video. The reactions were good. You started thinking about launch dates.

Then things got weird. You tried to add a payment flow and the whole settings page broke. A friend who works in tech asked if you'd checked your API keys and you didn't know what that meant. You tried to put it on a real server and nothing happened the same way it did on your laptop.

That's the vibe coding wall. Almost everyone who builds with AI tools hits it somewhere between week two and week eight. The tool did its job. It gave you a working prototype. But a prototype and a product are different things, and the gap between them is where the real problems live.

We use AI coding tools at Norsoft every day. Cursor, Claude Code, GitHub Copilot. We like them. This isn't an anti-AI article. This is about what happens after the exciting part, when you try to turn that demo into something you can actually put in front of paying customers.

What actually goes wrong

The problems aren't random. They follow patterns that show up in nearly every AI-generated codebase, regardless of which tool built it. A July 2025 study from Veracode found that AI-generated code introduced security vulnerabilities in 45% of coding tasks tested. That number isn't a fluke. It reflects how these tools are designed: they optimize for making something work, not for making it safe.

Security holes everywhere

Go look at your app's frontend code right now. Open the JavaScript files and search for anything that looks like a password or API key. If your app was vibe-coded, there's a decent chance you'll find database credentials, payment processor keys, or auth tokens sitting right there in code that any visitor's browser can read.

AI tools do this because it's the fastest way to make something functional. Need to connect to a database? Hardcode the connection string. Need to call Stripe? Drop the secret key inline. The app works perfectly, and the security vulnerability is completely invisible unless you know to look for it.

It goes deeper than keys, too. Backend routes that respond to anyone without checking who's asking. Input fields that pass whatever the user types straight into a database query. Sensitive data stored in the browser's localStorage where any script on the page can grab it. These aren't obscure edge cases. They're the default behavior of AI coding tools.

No architecture, just accumulation

When you vibe-code, each prompt solves one problem. "Add a login page." "Make a dashboard." "Let users upload files." The AI writes code that handles each request, but it doesn't think about how all those pieces fit together. After thirty or forty prompts, you end up with a codebase that's more like a pile than a building.

Business logic lives inside UI components. The same function exists in three different files with slightly different names. Data flows in circles. Nothing has a clear home. This doesn't matter during a demo because everything still runs. It starts to matter the moment you try to change something. You fix the upload feature and the dashboard breaks. You update the pricing page and the login stops working. Not because you did anything wrong, but because the code was never structured to handle changes.

Zero test coverage

Ask yourself this: if you pushed a change to your app right now, how would you know if it broke something? If the answer is "I'd click around and check," you have the same problem as most vibe-coded projects. There are no automated tests. No safety net. Every deployment is a coin flip.

AI tools almost never write meaningful tests unless you demand them, and even then they tend to write the easy ones. "Does the page load?" Sure. "What happens when a user submits a form with an expired session while another tab is processing a payment?" Nobody checked, and that's the kind of thing that blows up at 2am on a Saturday when real people are trying to give you money.

The SEO problem nobody talks about

If your vibe-coded app has any public-facing pages, there's a good chance Google can't see them. AI tools love React, and React renders in the browser instead of on the server. When Google's crawler visits your site, it gets an empty HTML shell with a JavaScript file attached. Your content exists, but only for humans who load the page with a real browser.

An SEO auditor on Reddit told a story about a client who couldn't figure out why a brand new site with solid content wasn't getting indexed. They pulled up the rendered HTML and it was empty. The site looked perfect to visitors but was completely invisible to search engines. If you're counting on organic traffic, this is the kind of thing that costs you months before you even realize it's happening.

It works on one machine

Your vibe-coded app probably runs great on your laptop. It knows where the files are, the right versions of everything are installed, and the environment variables are set the way the AI expected. Now try running it somewhere else. A teammate's computer. A staging server. A fresh cloud instance.

Most of the time it falls apart. File paths only work on your operating system. Dependencies aren't pinned to specific versions so they update and break things. There's no deployment configuration, no Docker setup, no documentation about what needs to exist for the app to start. The app isn't broken. It just never learned to live anywhere except the machine it was born on.

Why vibe coding projects fail

None of these problems kill a project on their own. They compound. Here's how it usually plays out:

In the first week or two, everything feels amazing. You're building fast, the AI is keeping up with your ideas, and you have a working thing you can show people. This part is genuinely impressive and it's why vibe coding is popular.

Around week four, features start taking longer. Each new thing you add touches code the AI wrote weeks ago, and that code wasn't designed to be touched. You spend more time fixing side effects than building. The pace that felt magical starts to feel frustrating.

By week eight, someone asks about security. Maybe it's a potential investor, maybe it's a technical co-founder, maybe it's a customer who works in compliance. You realize you don't actually know what's in your own codebase, and when you start looking, you find the exposed keys and missing auth checks we talked about.

By week twelve, you try to bring on a real developer. They open the repo, spend a day reading it, and come back with some version of: "I can work on this, but we need to restructure it first, and that's going to take a few weeks before I can build anything new." The number they quote to do that restructuring is more than you expected.

This isn't a failure of vibe coding as a concept. It's what happens when a prototype gets treated like a finished product. The AI gave you exactly what you asked for. You just didn't ask for the boring stuff that keeps software alive once real people start depending on it.

What the problems actually cost

The tricky thing about these problems is that they don't send you an invoice. The costs show up sideways, in lost time and missed opportunities and incidents you didn't see coming.

A data breach from exposed credentials is the scariest one. IBM's 2025 Cost of a Data Breach Report puts the global average at $4.44 million. Your app probably wouldn't hit that number, but even a small incident means notification requirements, potential legal exposure, and the kind of customer trust damage that doesn't have a clean price tag.

Developer time wasted on tangled code is the slow bleed. If every feature takes three times longer than it should because the codebase fights you, that's real money. A developer at $50 an hour spending an extra 20 hours a month on avoidable complexity is $12,000 a year in pure waste. That's money you could've spent building the next feature.

Invisible SEO is the silent killer for any business that depends on being found online. If Google can't crawl your site because the AI built it in client-rendered React, every customer you'd have gotten from search is a customer you're now paying to acquire through ads. And you might not realize it's happening for months.

What to do about it

Here's the thing. None of this means you should stop using AI tools. They're genuinely good at what they do. But the right way to use them is to treat their output like a first draft, not a finished product. You wouldn't publish a first draft of a book. Same idea.

If you're about to start

Use the AI to build your prototype, then budget for a cleanup before you launch. Think of it like building a house. You hire someone to do the rough framing, then the electrician and plumber come through before anyone moves in. The framing is useful and necessary. It's just not the whole job.

If you already have a vibe-coded app in production

Start with security because that's where the real risk is. Move API keys out of frontend code. Add authentication to every backend endpoint. Validate user inputs. This alone makes your app dramatically safer and usually takes days, not weeks. It's the highest-value work you can do.

After that, deal with the architecture. Separate the business logic from the UI. Establish clear patterns so that files have a reason for existing where they do. This takes longer, but it's what makes the difference between a codebase you can build on and one that fights you every step.

Then add tests for the paths that actually matter. You don't need 100% coverage. You need enough that deploying on a Friday afternoon doesn't require bravery.

If you're stuck and need help

This is exactly what our vibe code cleanup service is built for. We audit what the AI built, fix the security issues, restructure the architecture, and add test coverage that makes it production-grade. The goal isn't to throw your code away. It's to take what works and make it safe enough and stable enough to grow on.

We use these AI tools ourselves every day, so we know the specific patterns they produce and what it takes to close the gap between prototype and production. Read more about the specific security risks or see how vibe coding compares to traditional development.

Frequently asked questions

What is the biggest problem with vibe coding?

Security. AI tools routinely hardcode API keys, skip authentication on backend routes, and ignore input validation. A vibe-coded app that works fine in a demo often has open doors that any basic security scan will find. The code runs, but it's not safe to put in front of real users with real data.

What are the main reasons vibe coding projects fail?

Most failures come down to three things: the code has no real architecture, so changes in one place break things somewhere else. There are no automated tests, so bugs ship without anyone noticing. And the original AI-generated patterns weren't designed to scale past a handful of users. The prototype works great. The product doesn't.

Why are people against vibe coding?

Most professional developers aren't against AI tools themselves. What they push back on is shipping AI-generated code without reviewing it first. The output tends to look clean on the surface but often contains security vulnerabilities, duplicated logic, and architecture that doesn't hold up under real use. The tool is useful. Skipping the review is the problem.

Can a vibe-coded app be fixed or does it need to be rebuilt?

Almost always fixed. The typical path is a security audit first, then architecture restructuring, then adding test coverage. Full rebuilds are rare and usually only come up when the AI picked a fundamentally wrong framework for the job.

How much does it cost to clean up vibe-coded software?

It depends on the size of the app and how serious the issues are. Industry rates for code audit and remediation work range from $150 to $250+ per hour for experienced engineers. A focused security audit on a small app might take a week. A full architecture cleanup for something larger could take a month. Reach out and we'll give you a real estimate based on your actual codebase.