VulnResolver: A Hybrid Agent Framework for LLM-Based Automated Vulnerability Issue Resolution

TL;DR

VulnResolver is a novel hybrid agent framework leveraging large language models to automate vulnerability issue resolution by combining adaptive contextual exploration with safety property analysis, significantly improving resolution accuracy.

Contribution

It introduces VulnResolver, the first LLM-based hybrid agent system that unites adaptive exploration and safety analysis for automated vulnerability fixing, surpassing existing methods.

Findings

Resolves 75% of issues on SEC-bench Lite.

Outperforms baseline OpenHands on SEC-bench Full.

Enhances vulnerability localization and patch generation.

Abstract

As software systems grow in complexity, security vulnerabilities have become increasingly prevalent, posing serious risks and economic costs. Although automated detection tools such as fuzzers have advanced considerably, effective resolution still often depends on human expertise. Existing automated vulnerability repair (AVR) methods rely heavily on manually provided annotations (e.g., fault locations or CWE labels), which are often difficult and time-consuming to obtain, while overlooking the rich, naturally embedded semantic context found in issue reports from developers. In this paper, we present VulnResolver, the first LLM-based hybrid agent framework for automated vulnerability issue resolution. VulnResolver unites the adaptability of autonomous agents with the stability of workflow-guided repair through two specialized agents. The Context Pre-Collection Agent (CPCAgent) adaptively explores the repository to gather dependency and contextual information, while the Safety Property Analysis Agent (SPAAgent) generates and validates the safety properties violated by vulnerabilities. Together, these agents produce structured analyses that enrich the original issue reports, enabling more accurate vulnerability localization and patch generation. Evaluations on the SEC-bench benchmark show that VulnResolver resolves 75% of issues on SEC-bench Lite, achieving the best resolution performance. On SEC-bench Full, VulnResolver also significantly outperforms the strongest baseline, the agent-based OpenHands, confirming its effectiveness. Overall, VulnResolver delivers an adaptive and security-aware framework that advances end-to-end automated vulnerability issue resolution through workflow stability and the specialized agents' capabilities in contextual reasoning and property-based analysis.