LSP servers suffer from insufficient reliability; crashes or vulnerabilities disrupt code intelligence features, compromising development security and efficiency—yet existing testing techniques lack LSP-specific targeting. This paper proposes a grey-box hybrid fuzzing approach tailored for LSP servers: (1) a syntax-tree–guided, semantics-aware mutation phase leveraging source-code structure; and (2) a context-driven request sequencing phase that dynamically schedules editor-operation–informed message sequences to trigger deep, code–interaction–coupled defects. The method integrates LSP protocol state modeling, context-sensitive sequence generation, and lightweight coverage feedback. Evaluated on four widely adopted LSP servers, it uncovered 51 previously unknown vulnerabilities—42 confirmed, 26 patched, and 2 assigned CVE identifiers—demonstrating substantial improvements in the security and stability of the LSP ecosystem.

The Language Server Protocol (LSP) has revolutionized the integration of code intelligence in modern software development. There are approximately 300 LSP server implementations for various languages and 50 editors offering LSP integration. However, the reliability of LSP servers is a growing concern, as crashes can disable all code intelligence features and significantly impact productivity, while vulnerabilities can put developers at risk even when editing untrusted source code. Despite the widespread adoption of LSP, no existing techniques specifically target LSP server testing. To bridge this gap, we present LSPFuzz, a grey-box hybrid fuzzer for systematic LSP server testing. Our key insight is that effective LSP server testing requires holistic mutation of source code and editor operations, as bugs often manifest from their combinations. To satisfy the sophisticated constraints of LSP and effectively explore the input space, we employ a two-stage mutation pipeline: syntax-aware mutations to source code, followed by context-aware dispatching of editor operations. We evaluated LSPFuzz on four widely used LSP servers. LSPFuzz demonstrated superior performance compared to baseline fuzzers, and uncovered previously unknown bugs in real-world LSP servers. Of the 51 bugs we reported, 42 have been confirmed, 26 have been fixed by developers, and two have been assigned CVE numbers. Our work advances the quality assurance of LSP servers, providing both a practical tool and foundational insights for future research in this domain.