This work proposes VulnResolver, the first large language model–based hybrid agent framework for automated vulnerability repair that operates without human-annotated labels such as fault locations or CWE tags—data that are often scarce and fail to capture the semantic context in natural language issue reports. VulnResolver employs two synergistic agents: one for contextual pre-collection and another for security property analysis, enabling end-to-end vulnerability localization and patch generation directly from unstructured problem descriptions. By integrating the adaptability of autonomous agents with the reliability of workflow-guided orchestration, VulnResolver achieves a 75% repair rate on SEC-bench Lite, substantially outperforming the strongest existing baseline, OpenHands, and demonstrating particularly strong performance on the more challenging SEC-bench Full benchmark.

As software systems grow in complexity, security vulnerabilities have become increasingly prevalent, posing serious risks and economic costs. Although automated detection tools such as fuzzers have advanced considerably, effective resolution still often depends on human expertise. Existing automated vulnerability repair (AVR) methods rely heavily on manually provided annotations (e.g., fault locations or CWE labels), which are often difficult and time-consuming to obtain, while overlooking the rich, naturally embedded semantic context found in issue reports from developers. In this paper, we present VulnResolver, the first LLM-based hybrid agent framework for automated vulnerability issue resolution. VulnResolver unites the adaptability of autonomous agents with the stability of workflow-guided repair through two specialized agents. The Context Pre-Collection Agent (CPCAgent) adaptively explores the repository to gather dependency and contextual information, while the Safety Property Analysis Agent (SPAAgent) generates and validates the safety properties violated by vulnerabilities. Together, these agents produce structured analyses that enrich the original issue reports, enabling more accurate vulnerability localization and patch generation. Evaluations on the SEC-bench benchmark show that VulnResolver resolves 75% of issues on SEC-bench Lite, achieving the best resolution performance. On SEC-bench Full, VulnResolver also significantly outperforms the strongest baseline, the agent-based OpenHands, confirming its effectiveness. Overall, VulnResolver delivers an adaptive and security-aware framework that advances end-to-end automated vulnerability issue resolution through workflow stability and the specialized agents'capabilities in contextual reasoning and property-based analysis.