AutoPatch: Multi-Agent Framework for Patching Real-World CVE Vulnerabilities
Minjae Seo, Wonwoo Choi, Myoungsung You, and Seungwon Shin
TL;DR
AutoPatch is a multi-agent framework that effectively patches real-world CVE vulnerabilities in LLM-generated code by combining retrieval, analysis, and reasoning, achieving high accuracy and cost efficiency.
Contribution
It introduces AutoPatch, a novel multi-agent system integrating retrieval, analysis, and reasoning to patch complex vulnerabilities without costly fine-tuning.
Findings
90.4% accuracy in CVE matching
89.5% F1-score for vulnerability verification
95.0% accuracy in patching
Abstract
Large Language Models (LLMs) have emerged as promising tools in software development, enabling automated code generation and analysis. However, their knowledge is limited to a fixed cutoff date, making them prone to generating code vulnerable to newly disclosed CVEs. Frequent fine-tuning with new CVE sets is costly, and existing LLM-based approaches focus on oversimplified CWE examples and require providing explicit bug locations to LLMs, limiting their ability to patch complex real-world vulnerabilities. To address these limitations, we propose AutoPatch, a multi-agent framework designed to patch vulnerable LLM-generated code, particularly those introduced after the LLMs' knowledge cutoff. AutoPatch integrates Retrieval-Augmented Generation (RAG) with a structured database of recently disclosed vulnerabilities, comprising 525 code snippets derived from 75 high-severity CVEs across…
Peer Reviews
No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsSoftware Engineering Research · Software Testing and Debugging Techniques · Advanced Malware Detection Techniques