🤖 AI Summary
This work proposes an agentic retrieval-augmented generation (Agentic RAG) framework to address the limitations of existing automated program repair approaches, which are often confined to memory-related bugs and single programming languages, exhibit weak generalization, and rely on proprietary models. By deploying open-source large language models locally and integrating a multi-dimensional retrieval pipeline, a dedicated Curator Agent, and a controllable iterative mechanism, the framework enables cross-file dependency analysis and repair of complex vulnerabilities. It supports multiple programming languages and previously unseen CWE categories, achieving an 83.13% repair success rate on 160 real-world CVEs—significantly outperforming current state-of-the-art methods—while offering strong generalization capabilities and low repair costs.
📝 Abstract
Automated vulnerability repair has emerged as a promising direction to mitigate the growing number of software vulnerabilities. Recent advances in Large Language Models (LLMs) have further accelerated research in automated repair. However, existing frameworks remain largely restricted to memory-related vulnerabilities and locally repairable vulnerability settings, leaving generalization to unseen vulnerability types underexplored. Their evaluations are often limited to a single programming language, and largely rely on proprietary models. In this paper, we propose RAVEN, a scalable, efficient and autonomous framework that integrates an agentic retrieval-augmented generation (RAG) pipeline with controlled iterative repair in a unified framework. The framework utilizes open-source LLMs in a fully locally deployable setting with limited GPU requirements, while building a multi-faceted retrieval pipeline to retrieve historically relevant vulnerability fixes and guide the patch generation. In addition, RAVEN introduces a dedicated Curator Agent that retrieves cross-file dependencies from the target repository, to fix complex vulnerabilities that cannot be addressed using local vulnerable code alone. We evaluate RAVEN on 160 real-world CVE vulnerabilities across diverse vulnerability types, two programming languages, unseen CWE categories, and out-of-distribution settings. RAVEN achieves an overall repair success rate of 83.13%, outperforming all existing state-of-the-art repair frameworks, while also demonstrating strong generalization capabilities and maintaining the repair cost negligible.