Diffploit: Facilitating Cross-Version Exploit Migration for Open Source Library Vulnerabilities
Zirui Chen, Zhipeng Xue, Jiayuan Zhou, Xing Hu, Xin Xia, Xiaohu Yang
TL;DR
Diffploit tackles the problem of migrating exploits across library versions by introducing a diff-driven, two-module framework that uses version-aware contexts and an iterative LLM-guided adaptation loop. The Context Module constructs migration contexts from discrepancies between a target and a reference version, extracting causing and supporting diffs, while the Migration Module applies a simulated-annealing search to apply diffs and generate adapted exploits. Evaluated on 102 CVEs and 689 migrations across 79 libraries, Diffploit achieves an 84.2% success rate, outperforming baselines including TaRGET and IDEA, and uncovers previously undocumented affected versions and CVE database improvements. The work demonstrates practical feasibility through CNAs and GitHub Advisory Database acceptances, while also highlighting limitations in cases with large API gaps or altered failure modes, suggesting directions for future enhancements. Overall, Diffploit advances automated, context-aware exploit migration, contributing to vulnerability validation and the accuracy of vulnerability databases with real-world impact.
Abstract
Exploits are commonly used to demonstrate the presence of library vulnerabilities and validate their impact across different versions. However, their direct application to alternative versions often fails due to breaking changes introduced during evolution. These failures stem from both changes in triggering conditions (e.g., API refactorings) and broken dynamic environments (e.g., build or runtime errors), which are challenging to interpret and adapt manually. Existing techniques primarily focus on code-level trace alignment through fuzzing, which is both time-consuming and insufficient for handling environment-level failures. Moreover, they often fall short when dealing with complicated triggering condition changes across versions. To overcome this, we propose Diffploit, an iterative, diff-driven exploit migration method structured around two key modules: the Context Module and the Migration Module. The Context Module dynamically constructs contexts derived from analyzing behavioral discrepancies between the target and reference versions, which capture the failure symptom and its related diff hunks. Leveraging these contexts, the Migration Module guides an LLM-based adaptation through an iterative feedback loop, balancing exploration of diff candidates and gradual refinement to resolve reproduction failures effectively. We evaluate Diffploit on a large-scale dataset containing 102 Java CVEs and 689 version-migration tasks across 79 libraries. Diffploit successfully migrates 84.2% exploits, outperforming the change-aware test repair tool TARGET by 52.0% and the rule-based tool in IDEA by 61.6%. Beyond technical effectiveness, Diffploit identifies 5 CVE reports with incorrect affected version ranges, three of which have been confirmed. It also discovers 111 unreported vulnerable versions in the GitHub Advisory Database.