Zero-Shot Vulnerability Repair

Updated 9 November 2025

Zero-shot vulnerability repair is defined as automated patch synthesis from generic bug-fix data without vulnerability-specific training.
Techniques such as encoder-decoder models, GANs, and prompt-based LLMs are employed, showing improvements like a 26.9% success boost in some scenarios.
Effective repair relies on ensemble prompting, dynamic state-guidance, and explicit contextual cues (e.g., CVE inputs) to ensure secure software assurance.

Zero-shot vulnerability repair refers to the automated generation of patches for software vulnerabilities by machine learning or program synthesis systems that have not been fine-tuned on vulnerability-specific data or paired “buggy→fixed” examples for the target problem. The zero-shot setting requires models to generalize from generic programming knowledge, related bug-fix patterns, or distributional properties of repaired code to produce effective vulnerability mitigation. This paradigm is central to the promise of scalable AI-based software assurance, minimizing the need for constant retraining as new vulnerabilities and languages emerge.

1. Formal Definitions and Core Setting

Zero-shot vulnerability repair is defined as the process in which a model is presented with a vulnerable code sample—sometimes along with minimal contextual or descriptive information—and must return a secure, functionally correct fix, even though the model has not observed supervised pairs of vulnerabilities and their corresponding patches during training for the specific vulnerability type or codebase (Chen et al., 2021, Pearce et al., 2021, Liu et al., 10 Apr 2025, Wang et al., 5 Aug 2025, Antal et al., 13 Jun 2025, Tol et al., 2023, Harer et al., 2018).

Key terms:

Zero-shot: No vulnerability-specific fine-tuning, no in-context “buggy→fixed” exemplars, and often no iterative feedback loop.
Input: Typically, a function or code region known (or suspected) to be vulnerable, optionally accompanied by test cases, crash reports, or vulnerability metadata (CVE/CWE).
Output: A candidate patch (or a set thereof) that addresses the vulnerability, preserves intended behavior, and passes available functional and/or security tests.

Two general subtypes can be distinguished:

Pure zero-shot: Model is trained on general code corpora, possibly generic bug fixes, but no vulnerability-specific repair pairs (Chen et al., 2021, Harer et al., 2018).
Prompt-based zero-shot via retrieval: LLM is prompted on-the-fly with natural-language instructions or context, with no in-context learning or explicit repair demonstration for the target code (Pearce et al., 2021, Liu et al., 10 Apr 2025, Antal et al., 13 Jun 2025, Wang et al., 5 Aug 2025).

2. Principal Methodologies

A variety of model architectures and algorithmic strategies have been developed for zero-shot vulnerability repair.

Discriminative and Generative Approaches

Encoder–Decoder and Seq2Seq Models: Transformers, RNNs, or other models pre-trained on general bug-fixing or code editing corpora can be used in a zero-shot fashion by directly applying them to vulnerable code, exploiting the syntactic and semantic transferability of bug fix primitives (Chen et al., 2021).
Adversarial Learning: GAN-style frameworks match the distribution of “bad” (vulnerable) and “good” (fixed) code without paired training data, regularizing the mapping with autoencoding and frequency matching to preserve input-dependent conditioning (Harer et al., 2018).
LLM-based Prompting: Off-the-shelf LLMs (Codex, GPT-4o, etc.) are provided with templates describing the buggy code (often along with short bug descriptions, comments, or related context), and asked to output a “fixed” version (Pearce et al., 2021, Antal et al., 13 Jun 2025, Liu et al., 10 Apr 2025).
Dynamic State-Guided Repair: Agents interface with debuggers (e.g., LLDB/GDB) to interactively collect runtime states and constraints, constructing LLM prompts that blend static context and dynamic traces to guide patch synthesis analogous to human debugging (Liu et al., 10 Apr 2025).

Table 1. Zero-Shot Repair Techniques and Model Classes

Approach	Model/Data Used	Example Source
Generic seq2seq/Transformer	Bug-fix edits only (no security data)	(Chen et al., 2021)
LLM Prompt-based	Pretrained LLM; prompt w/ vulnerable code	(Pearce et al., 2021 Antal et al., 13 Jun 2025)
GAN (Unpaired)	Separate corpora for “bad”/“good” code	(Harer et al., 2018)
Dynamic-guided LLM	LLM, runtime constraints/traces	(Liu et al., 10 Apr 2025)
Side-channel patching	LLM + dynamic microarchitectural analysis	(Tol et al., 2023)

Method selection reflects vulnerability type, code modality, and the availability of triggers, specifications, or test suites.

3. Prompt Engineering and Context Encoding

Prompt composition is critical for LLM-based zero-shot repair. Empirical studies show that the structure, content, and explicitness of the prompt strongly modulate patch success rates (Pearce et al., 2021, Antal et al., 13 Jun 2025, Wang et al., 5 Aug 2025).

Notable Prompt Strategies

Minimal Context: Only the function header or a brief instruction, e.g., “Fix this function for CWE-89.”
Commented Out Vulnerable Code: Include the buggy function body in comments, immediately preceding the output marker; boosts model’s ability to map faulty logic to fixed logic.
Explicit CWE/CVE Guidance: Inserting raw vulnerability descriptions (especially CVE entries) into the prompt significantly heightens repair rates in real-world settings, outperforming abstract CWE summaries by 7.9 percentage points in success rate (Antal et al., 13 Jun 2025).
Manual Project Hints: Adding context such as helper method signatures or repository-local patch idioms.
Ensemble Prompting: Using a diverse set (e.g., top-3 prompt variants including CVE hints plus manual context) yields additive coverage, with >60% of distinct vulnerabilities fixed in benchmark studies (Antal et al., 13 Jun 2025).

For dynamic-guided agents, prompts are mixed-mode: static code slices, dynamic runtime variable tables, natural language descriptions of expected constraints, and explicit task framing to ground LLM reasoning (Liu et al., 10 Apr 2025). This approach interleaves code understanding with dynamically observed execution evidence.

4. Quantitative Performance, Empirical Results, and Failure Modes

Model Evaluation Protocols

Function-level Patch Exact Match (EM): Strict equivalence to human patch.
n-gram Overlap (BLEU, ROUGE): Similarity measures for code generation.
Pass@k: Fraction of generated patches passing predefined tests out of k attempts (Liu et al., 10 Apr 2025).
Distinct Patches Fixed: Across multiple runs or prompt variants, the union of vulnerabilities successfully repaired.

Representative Results

Transformer (VRepair, no vuln data): 18.24% accuracy on Big-Vul test (bug-fix only model); transfer learning to vulnerability data improves to 21.86% (Chen et al., 2021).
GAN (no pairs): BLEU-4 scores for unpaired GAN in code repair within 10–15 points of fully supervised seq2seq (Harer et al., 2018).
LLM Zero-Shot (GPT-4o, base prompt): <1% EM on REEF multilingual benchmark; rises to 26.9% for instruction-tuned + few-shot; leveraging CVE in prompt gives a 26.9% SR boost over CWE-style context (Wang et al., 5 Aug 2025, Antal et al., 13 Jun 2025).
Dynamic-Guided LLM (VulDebugger): 60% overall fix rate on 50 real-world C vulnerabilities; 96% on Juliet suite, decisively exceeding retrieval-based or static-only approaches (Liu et al., 10 Apr 2025).
Side-Channel Repair (ZeroLeak): 117/127 leakage points repaired in JavaScript cryptolibraries in a CI sweep with GPT-4, at API cost <\$0.50 and negligible code footprint change (Tol et al., 2023).
Prompt Engineering (GPT-4o, Vul4J): An ensemble of top-3 context-rich prompts fixes 62% of 42 Java vulnerabilities at least once (vs. 40–45% for single prompt/runs) (Antal et al., 13 Jun 2025).

Failure Analysis and Bottlenecks

Error Localization (~45% of fails): Patch is emitted in wrong region.
Partial/Logical Errors: Only part of the vulnerability is fixed, or patch is plausible but incorrect or breaks functionality (Wang et al., 5 Aug 2025).
Format/Adherence Errors: Output drifts from prompt specification, misaligning with testing harnesses (Wang et al., 5 Aug 2025, Pearce et al., 2021).
Complex/Interprocedural Cases: Repair failing for vulnerabilities needing multi-function context or substantial logic injection (Pearce et al., 2021).

Performance is thus highly sensitive to the alignment between the prompt, the context, and the LLM’s internal prior.

5. Specializations and Domain Adaptations

While zero-shot repair is generally defined over standard memory corruption, injection, and logic vulnerabilities, adaptations for other vulnerability classes have been demonstrated.

Microarchitectural Side-Channels: ZeroLeak combines dynamic leak localization (using tools such as Microwalk–CI, Pitchfork, Spectector, KLEESpectre) with LLM patching in constant-time or speculative-execution-safe idioms. Masking/masking-avoidance is enforced by precise, pattern-dependent prompts, and patch validity is confirmed via mutual information (MI) zeroing at the instruction level (Tol et al., 2023).
Cross-Modality Robustification: Methods such as RoboShot use LMs to extract “harmful” and “helpful” subspaces from model embeddings, projecting out spurious biases in a pure zero-shot regime, thereby raising worst-group accuracy by +15.98 percentage points across vision, text, and tabular tasks (Adila et al., 2023). While not focused on code repair, the same principle—prompt-based, insight-driven self-correction—applies to code vulnerability axes, such as privacy and fairness.

6. Guidelines, Best Practices, and Implementation Roadmaps

The literature in recent years distills several principles for successful zero-shot vulnerability repair:

Leverage Contextual Guidance: Incorporate explicit CVE corpus entries, project-local hints, or constructed repair guidelines into prompts for maximal effect (Antal et al., 13 Jun 2025, Wang et al., 5 Aug 2025).
Ensemble Prompting: Aggregate candidate fixes from multiple diverse prompt instantiations and select or verify by post-processing, significantly raising distinct repair coverage (Antal et al., 13 Jun 2025).
Use Available Dynamic/Testing Feedback: Whenever possible, integrate runtime test crash traces, sanitizer constraints, or dynamic execution traces as part of the repair prompt to facilitate root-cause analysis (Liu et al., 10 Apr 2025, Tol et al., 2023).
Instruction Tuning and Few-Shot Augmentation: While pure zero-shot EM is generally low (≪ 1% in some multilingual settings), few-shot demonstration and instruction-tuning elevate repair rates ∼20–30× (Wang et al., 5 Aug 2025).
Automated Validation: Always verify candidate patches with existing unit or regression tests, static analyzers, or fuzzing tools to filter plausible but faulty repairs (Pearce et al., 2021, Wang et al., 5 Aug 2025).
Human Review: Manual inspection remains essential for security-critical deployments due to the risk of “plausible but incorrect” fixes (Tol et al., 2023, Pearce et al., 2021).

A typical pipeline for scalable zero-shot repair is as follows: context-rich prompt construction (inc. CVE/CWE/raw traces), ensemble LLM querying (≥3 prompt variants×runs), automatic patch selection/validation via tests/fuzzers/sanitizers, and final manual review for correctness (Antal et al., 13 Jun 2025, Liu et al., 10 Apr 2025, Pearce et al., 2021).

7. Limitations, Scalability, and Future Directions

Zero-shot vulnerability repair faces several inherent and practical limitations:

Dependence on Upstream Detection: Only vulnerabilities correctly localized by static/dynamic detectors are eligible for repair via LLM/ML models (Tol et al., 2023, Pearce et al., 2021, Liu et al., 10 Apr 2025).
Transferability and Generalization: Pure zero-shot is feasible for simple, syntactic fixes (e.g., guard insertions), but logic-intensive or cross-procedural vulnerabilities remain challenging (Pearce et al., 2021, Harer et al., 2018).
Model Drift and Prompt Sensitivity: Prompt shape and explicitness (especially for rare or novel vulnerability types) are critical; overly generic prompts yield low repair rates (Antal et al., 13 Jun 2025, Wang et al., 5 Aug 2025).
Resource Constraints: Token limits in LLMs can truncate context, and repair of large-scale or multi-file bugs is out of scope for current zero-shot paradigms (Pearce et al., 2021).
Adversarial Risks: Automatic patching can introduce new subtle bugs, or degrade performance or maintainability; multi-stage validation and review are required. Some GAN-based approaches show occasional “semantic drift” without explicit conditional regularization (Harer et al., 2018).

Work in progress includes joint vulnerability localization and repair (linking static analysis with LLM-based synthesis), formal verification coupling with LLM outputs, and improved context retrieval for prompt construction (e.g., RAG over documentation and bug databases) (Liu et al., 10 Apr 2025, Tol et al., 2023, Antal et al., 13 Jun 2025).

In summary, zero-shot vulnerability repair is feasible through a spectrum of techniques—transformer-based bug-fix transfer, adversarial GANs, large-scale prompt engineering, and dynamic evidence-driven LLM agents. The field is advancing rapidly, but large-scale, production-grade deployment requires further advances in localization integration, prompt automation, validation, and generalization to complex vulnerabilities and novel languages.