Search papers, labs, and topics across Lattice.
This paper introduces RAVEN, a novel framework that combines agentic retrieval-augmented generation (RAG) with controlled iterative repair to automate the repair of software vulnerabilities across diverse types and programming languages. RAVEN addresses the limitations of existing methods by utilizing open-source LLMs in a locally deployable manner and incorporating a Curator Agent to handle complex cross-file dependencies. Evaluated on 160 real-world CVE vulnerabilities, RAVEN achieves an impressive 83.13% repair success rate, significantly outperforming current state-of-the-art frameworks while ensuring low repair costs.
RAVEN repairs 83.13% of software vulnerabilities, leveraging a novel agentic RAG approach that generalizes across diverse types and languages.
Automated vulnerability repair has emerged as a promising direction to mitigate the growing number of software vulnerabilities. Recent advances in Large Language Models (LLMs) have further accelerated research in automated repair. However, existing frameworks remain largely restricted to memory-related vulnerabilities and locally repairable vulnerability settings, leaving generalization to unseen vulnerability types underexplored. Their evaluations are often limited to a single programming language, and largely rely on proprietary models. In this paper, we propose RAVEN, a scalable, efficient and autonomous framework that integrates an agentic retrieval-augmented generation (RAG) pipeline with controlled iterative repair in a unified framework. The framework utilizes open-source LLMs in a fully locally deployable setting with limited GPU requirements, while building a multi-faceted retrieval pipeline to retrieve historically relevant vulnerability fixes and guide the patch generation. In addition, RAVEN introduces a dedicated Curator Agent that retrieves cross-file dependencies from the target repository, to fix complex vulnerabilities that cannot be addressed using local vulnerable code alone. We evaluate RAVEN on 160 real-world CVE vulnerabilities across diverse vulnerability types, two programming languages, unseen CWE categories, and out-of-distribution settings. RAVEN achieves an overall repair success rate of 83.13%, outperforming all existing state-of-the-art repair frameworks, while also demonstrating strong generalization capabilities and maintaining the repair cost negligible.