A Dual-Loop Agent Framework for Automated Vulnerability Reproduction

TL;DR

This paper introduces CVE2PoC, a dual-loop LLM-based framework that automates vulnerability reproduction by planning, executing, and refining attack strategies, significantly improving success rates over existing methods.

Contribution

The paper presents a novel dual-loop agent framework that separates attack planning from code execution, enabling more effective and efficient vulnerability reproduction.

Findings

Achieves 82.9% and 54.3% success rates on two benchmarks.

Outperforms baseline methods by 11.3% and 20.4%.

Generated PoCs are comparable to human-written exploits in quality.

Abstract

Automated vulnerability reproduction from CVE descriptions requires generating executable Proof-of-Concept (PoC) exploits and validating them in target environments. This process is critical in software security research and practice, yet remains time-consuming and demands specialized expertise when performed manually. While LLM agents show promise for automating this task, existing approaches often conflate exploring attack directions with fixing implementation details, which leads to unproductive debugging loops when reproduction fails. To address this, we propose CVE2PoC, an LLM-based dual-loop agent framework following a plan-execute-evaluate paradigm. The Strategic Planner analyzes vulnerability semantics and target code to produce structured attack plans. The Tactical Executor generates PoC code and validates it through progressive verification. The Adaptive Refiner evaluates execution results and routes failures to different loops: the Tactical Loop for code-level refinement, while the Strategic Loop for attack strategy replanning. This dual-loop design enables the framework to escape ineffective debugging by matching remediation to failure type. Evaluation on two benchmarks covering 617 real-world vulnerabilities demonstrates that CVE2PoC achieves 82.9% and 54.3% reproduction success rates on SecBench.js and PatchEval, respectively, outperforming the best baseline by 11.3% and 20.4%. Human evaluation confirms that generated PoCs achieve comparable code quality to human-written exploits in readability and reusability.