Existing Java fuzzing tools suffer from low vulnerability discovery efficiency due to their neglect of semantic information associated with vulnerability-relevant sink APIs. This work proposes GONDAR, a novel framework that systematically integrates sink API semantics with a multi-agent collaboration mechanism. GONDAR employs CWE-guided, LLM-enhanced static analysis to identify triggerable sink points and deploys two specialized agents—one focused on path reachability and the other on satisfying vulnerability-triggering conditions. By synergistically combining static analysis, large language models, constraint solving, and coverage-guided fuzzing, GONDAR discovers four times as many vulnerabilities as Jazzer, the current state-of-the-art tool, on real-world Java benchmarks. The framework has been successfully deployed in the DARPA AI Cyber Challenge and the OSS-CRS project.

Java applications are prone to vulnerabilities stemming from the insecure use of security-sensitive APIs, such as file operations enabling path traversal or deserialization routines allowing remote code execution. These sink APIs encode critical information for vulnerability discovery: the program-specific constraints required to reach them and the exploitation conditions necessary to trigger security flaws. Despite this, existing fuzzers largely overlook such vulnerability-specific knowledge, limiting their effectiveness. We present GONDAR, a sink-centric fuzzing framework that systematically leverages sink API semantics for targeted vulnerability discovery. GONDAR first identifies reachable and exploitable sink call sites through CWE-specific scanning combined with LLM-assisted static filtering. It then deploys two specialized agents that work collaboratively with a coverage-guided fuzzer: an exploration agent generates inputs to reach target call sites by iteratively solving path constraints, while an exploitation agent synthesizes proof-of-concept exploits by reasoning about and satisfying vulnerability-triggering conditions. The agents and fuzzer continuously exchange seeds and runtime feedback, complementing each other. We evaluated GONDAR on real-world Java benchmarks, where it discovers four times more vulnerabilities than Jazzer, the state-of-the-art Java fuzzer. Notably, GONDAR also demonstrated strong performance in the DARPA AI Cyber Challenge, and is integrated into OSS-CRS, a sandbox project in The Linux Foundation's OpenSSF, to improve the security of open-source software.