Table of Contents
Fetching ...

AutoPatch: Multi-Agent Framework for Patching Real-World CVE Vulnerabilities

Minjae Seo, Wonwoo Choi, Myoungsung You, Seungwon Shin

TL;DR

<3-5 sentence high-level summary>AutoPatch presents a multi-agent framework that patches vulnerabilities in LLM-generated code by leveraging a RAG-backed CVE database and a unified similarity model to match real-world CVEs disclosed after model training. It combines semantic and data flow analyses to guide vulnerability verification and patch generation, supported by one-shot prompting and a patch-verification loop. Evaluation across multiple LLMs demonstrates high vulnerability detection and patching accuracy with substantial cost savings compared to fine-tuning, highlighting practical impact for secure AI-assisted development. The work also discusses limitations, including reliance on known CVEs and coverage gaps for certain platforms, suggesting avenues for expanding detection scope and applicability.>

Abstract

Large Language Models (LLMs) have emerged as promising tools in software development, enabling automated code generation and analysis. However, their knowledge is limited to a fixed cutoff date, making them prone to generating code vulnerable to newly disclosed CVEs. Frequent fine-tuning with new CVE sets is costly, and existing LLM-based approaches focus on oversimplified CWE examples and require providing explicit bug locations to LLMs, limiting their ability to patch complex real-world vulnerabilities. To address these limitations, we propose AutoPatch, a multi-agent framework designed to patch vulnerable LLM-generated code, particularly those introduced after the LLMs' knowledge cutoff. AutoPatch integrates Retrieval-Augmented Generation (RAG) with a structured database of recently disclosed vulnerabilities, comprising 525 code snippets derived from 75 high-severity CVEs across real-world systems such as the Linux kernel and Chrome. AutoPatch combines semantic and taint analysis to identify the most relevant CVE and leverages enhanced Chain-of-Thought (CoT) reasoning to construct enriched prompts for verification and patching. Our unified similarity model, which selects the most relevant vulnerabilities, achieves 90.4 percent accuracy in CVE matching. AutoPatch attains 89.5 percent F1-score for vulnerability verification and 95.0 percent accuracy in patching, while being over 50x more cost-efficient than traditional fine-tuning approaches.

AutoPatch: Multi-Agent Framework for Patching Real-World CVE Vulnerabilities

TL;DR

<3-5 sentence high-level summary>AutoPatch presents a multi-agent framework that patches vulnerabilities in LLM-generated code by leveraging a RAG-backed CVE database and a unified similarity model to match real-world CVEs disclosed after model training. It combines semantic and data flow analyses to guide vulnerability verification and patch generation, supported by one-shot prompting and a patch-verification loop. Evaluation across multiple LLMs demonstrates high vulnerability detection and patching accuracy with substantial cost savings compared to fine-tuning, highlighting practical impact for secure AI-assisted development. The work also discusses limitations, including reliance on known CVEs and coverage gaps for certain platforms, suggesting avenues for expanding detection scope and applicability.>

Abstract

Large Language Models (LLMs) have emerged as promising tools in software development, enabling automated code generation and analysis. However, their knowledge is limited to a fixed cutoff date, making them prone to generating code vulnerable to newly disclosed CVEs. Frequent fine-tuning with new CVE sets is costly, and existing LLM-based approaches focus on oversimplified CWE examples and require providing explicit bug locations to LLMs, limiting their ability to patch complex real-world vulnerabilities. To address these limitations, we propose AutoPatch, a multi-agent framework designed to patch vulnerable LLM-generated code, particularly those introduced after the LLMs' knowledge cutoff. AutoPatch integrates Retrieval-Augmented Generation (RAG) with a structured database of recently disclosed vulnerabilities, comprising 525 code snippets derived from 75 high-severity CVEs across real-world systems such as the Linux kernel and Chrome. AutoPatch combines semantic and taint analysis to identify the most relevant CVE and leverages enhanced Chain-of-Thought (CoT) reasoning to construct enriched prompts for verification and patching. Our unified similarity model, which selects the most relevant vulnerabilities, achieves 90.4 percent accuracy in CVE matching. AutoPatch attains 89.5 percent F1-score for vulnerability verification and 95.0 percent accuracy in patching, while being over 50x more cost-efficient than traditional fine-tuning approaches.
Paper Structure (33 sections, 3 equations, 9 figures, 11 tables)

This paper contains 33 sections, 3 equations, 9 figures, 11 tables.

Figures (9)

  • Figure 1: The overall workflow of AutoPatch.
  • Figure 2: Motivating examples using GPT-4o-2024-11-20. The upper part shows insecure code generation reflecting CVE-2025-21671 (disclosed after the knowledge cutoff). The lower part shows secure code generation for CVE-2022-0185 (disclosed before the cutoff).
  • Figure 3: The overall architecture of AutoPatch.
  • Figure 4: Data Flow Graph (DFG) Extraction.
  • Figure 5: The target code refers to the LLM-generated code of CVE-2024-21671 as depicted in the upper portion of Fig. \ref{['fig:motiv_3']}, while the data flow info refers to the structured representation derived from the extracted Data Flow Graph (DFG), shown in Fig. \ref{['fig:DFG']}.
  • ...and 4 more figures