The invention provides a vulnerability detection method and device, and the method comprises the steps: building abstract syntax trees of a to-be-detected program source code and a vulnerability fragment, and determining the similarity between the two abstract syntax trees so as to determine whether a vulnerability exists in the to-be-detected program source code or not. The abstract syntax tree can represent details and structural information of program codes. Functions such as variables, a grammatical structure relationship is formed between the keywords and the operation. Therefore, the abstract syntax tree is used for representing the syntax structure relationship of the to-be-detected program source code and the vulnerability fragment, and the syntax structure relationship of the to-be-detected program source code and the vulnerability fragment can be completely represented. The problems that the similarity calculation result is low in accuracy and the vulnerability detection result is low in accuracy due to the fact that the character string only can represent the grammar sequence and cannot represent the grammar structure relation are avoided.