Search papers, labs, and topics across Lattice.
This study introduces Refploit, a novel LLM-based trajectory recovery framework that enhances the reproduction of Java vulnerability exploits from public references. By validating agent-generated exploits through differential execution and analyzing their reproduction progress, Refploit identifies effective trajectory segments and derives constraints for focused recovery. The framework achieves an impressive 80.2% reproduction rate on 172 exploit references, significantly outperforming existing methods and showcasing its adaptability across different code agents.
Refploit recovers 80.2% of Java vulnerability exploits by transforming failed agent trajectories into actionable insights, revealing the untapped potential of incomplete exploit attempts.
Vulnerability exploits play a crucial role in assessing the downstream impact of Java library vulnerabilities. While some vulnerabilities are accompanied by disclosed exploit references, automatically reproducing such references into runnable exploits remains challenging because they are often incomplete, unstructured, or only describe partial reproduction steps. Recent code agents provide a promising way to automate this process, but our study shows that their generated exploits often appear successful without triggering the actual vulnerable logic, such as replacing vulnerable APIs with self-implemented functions. To address this, we propose Refploit, an LLM-based trajectory recovery framework for facilitating vulnerability reproduction from public exploit references. The key insight is that a failed agent trajectory is not entirely useless. It may have already completed some reproduction subtasks while also revealing misleading directions that should be avoided. Refploit first validates an agent-generated exploit through differential execution. When the exploit is ineffective, Refploit analyzes its reproduction progress, locates the trajectory segments associated with the reproduction progress, and derives constraints to guide focused recovery. We evaluate Refploit on three open-source Java vulnerability datasets, covering 172 exploit references for 143 vulnerabilities. Under DeepSeek-V4-Flash, Refploit successfully reproduces 138 exploits, achieving a reproduction rate of 80.2%. It achieves a 64.3% relative improvement over the initially generated trajectories and outperforms both the SOTA exploit-generation method PoCGen and advanced code agents such as Codex with GPT-5.4. We further adapt Refploit to another code agent and observe consistent improvements, demonstrating its generality.