Vulnhuntr: A Tool for Finding Exploitable Vulnerabilities with LLMs and Static Code Analysis

In today’s ever-evolving cybersecurity landscape, identifying vulnerabilities in codebases is critical for maintaining secure software and infrastructure. Vulnhuntr, an open-source tool available on GitHub, leverages Large Language Models (LLMs) and static code analysis to identify remotely exploitable vulnerabilities in Python-based projects. Designed for simplicity and power, Vulnhuntr bridges the gap between intelligent automation and deep code analysis, making it a valuable resource for developers, security professionals, and organizations alike.

How Vulnhuntr Works

Vulnhuntr employs a unique multi-stage approach to vulnerability detection:

1. LLM-Powered README Analysis: The LLM begins by analyzing the project’s README file, gaining an understanding of the codebase’s functionality and potential vulnerabilities. This information is used to guide the subsequent analysis.

2. Initial Code Scan: The LLM performs an initial scan of the entire codebase, flagging potential vulnerabilities based on its understanding of secure coding practices and common vulnerability patterns.

3. Contextual Deep Dive: For each potential vulnerability, Vulnhuntr provides the LLM with a vulnerability-specific prompt, triggering a more in-depth analysis. The LLM intelligently requests additional context from related files, tracing the flow of data from user input to server-side processing. This allows it to identify vulnerabilities that span multiple files and functions.

4. Comprehensive Vulnerability Report: Vulnhuntr generates a detailed report outlining its findings. This report includes:

   • Initial assessment results for each file
   • Secondary assessment results with context functions and class references
   • Confidence scores for each vulnerability
   • Logs of the analysis process
   • Proof-of-concept (PoC) exploits for validated vulnerabilities

Example Vulnerabilities Found in Repositories

In its recent scans, Vulnhuntr has uncovered vulnerabilities in several high-profile projects, showcasing its effectiveness:

• gpt_academic (64k stars): LFI, XSS
• ComfyUI (50k stars): XSS
• FastChat (35k stars): SSRF
• REDACTED (29k stars): RCE, IDOR
• Ragflow (16k stars): RCE

These findings illustrate the diversity of vulnerability types Vulnhuntr can detect, from LFI in academic research tools to RCE in machine learning projects.

Limitations

While Vulnhuntr represents a significant advancement in vulnerability scanning, it has some limitations:

• Python Support: Currently, the tool only supports Python codebases.
• Vulnerability Classes: Vulnhuntr can identify a specific set of vulnerability classes, including LFI, AFO, RCE, XSS, SQLI, SSRF, and IDOR.

Conclusion

By combining LLMs with static code analysis, Vulnhuntr brings a fresh approach to vulnerability detection, offering both high-level analysis and in-depth insights. Its ability to dynamically request context from related parts of the codebase ensures comprehensive coverage, while its final analysis with PoC exploits and confidence scores provides actionable information for developers and security teams.

You can explore Vulnhuntr and contribute to its development on GitHub