Local Vulnerability Research Pipeline: 14B Code Model Powers Automated Exploit Mining
The local‑vuln‑research‑pipeline, built around the 14B Qwen2.5‑Coder model, combines a deterministic code‑graph with LLM‑driven exploitability reasoning to exhaustively enumerate source‑to‑sink paths across multiple languages, offering detailed reports while running entirely on local hardware.
Project Overview
Pipeline named local-vuln-research-pipeline hosted at https://github.com/theteatoast/local-vuln-research-pipeline. Design follows a “fully local + exhaustive coverage” principle: no cloud APIs are used and all analysis runs on the user’s hardware.
Core Architecture
Code‑graph + LLM hybrid architecture. The analysis flow consists of:
Fingerprinting + SBOM generation : builds a complete file inventory of the target repository.
Dependency vulnerability scanning : queries the NVD database and filters high‑risk dependencies using EPSS/KEV rankings.
Static analysis : runs Semgrep while constructing a full call graph.
Threat modeling + CVE catalog : injects product‑specific historical CVEs to give the LLM contextual information.
Path enumeration : exhaustively enumerates all source‑to‑sink paths and performs inter‑procedure taint tracking.
Per‑path LLM analysis : validates the real exploitability of each path.
Blind‑spot coverage : feeds source files not covered by paths to the LLM for manual code review.
Attack‑chain synthesis : uses NetworkX transitive closure to build multi‑step attack paths.
Report generation : produces a complete report containing root causes, exploit paths, and remediation suggestions.
Supported Languages & Frameworks
C/C++/Rust : memory‑safety issues such as buffer overflows and use‑after‑free.
TypeScript/JavaScript : XSS, SSRF, prototype pollution, SSTI.
Python : Flask/Django/Express routing security, ORM injection, authentication bypass.
Java : Spring Boot annotation security, SpEL injection, deserialization flaws.
Go : HTTP routing and goroutine race conditions.
Detectable Vulnerability Types
The pipeline can detect a wide range of attack vectors, including command injection, SQL injection, path injection, SSRF, SSTI, deserialization bugs, authentication and access‑control bypasses, hard‑coded credentials, TOCTOU race conditions, XXE, LDAP/XPath injections, weak cryptography, and weak random number usage.
Test Configuration & Performance
GPU : RTX 4070 Ti SUPER (16 GB VRAM)
CPU : Ryzen 7 7700 (8 C/16 T)
Memory : 32 GB DDR5 6000 MHz
Model : Qwen2.5‑Coder‑14B‑Abliterated Q4_K_M (14 B parameters, 8.6 GB)
Draft model : Qwen2.5‑Coder‑0.5B‑Q4_K_M (~400 MB) for speculative decoding
Inference speed : 25‑35 tok/s baseline, 35‑50 tok/s with speculative decoding
Context window : 32 K tokens
Inference service is built on llama.cpp, supporting Jinja templates, flash attention, and Q4 KV cache. Updating the NVD data requires an API key and takes about 45 minutes for roughly 360 k CVE records.
Usage
# Install llama.cpp
winget install llama.cpp # Windows
brew install llama.cpp # macOS / Linux
# Install Python dependencies
pip install -r requirements.txt
pip install huggingface_hub
# Download main model (14B)
huggingface-cli download bartowski/Qwen2.5-Coder-14B-Instruct-abliterated-GGUF \
Qwen2.5-Coder-14B-Instruct-abliterated-Q4_K_M.gguf --local-dir models/
# Download Draft model (0.5B)
huggingface-cli download bartowski/Qwen2.5-Coder-0.5B-Instruct-abliterated-GGUF \
Qwen2.5-Coder-0.5B-Instruct-abliterated-Q4_K_M.gguf --local-dir models/
# Start inference service
python start_server.py
# Update CVE database (first run)
export NVD_API_KEY="your-key-here"
python -m src.main update-cve
# Start vulnerability audit
python run_audit.py /path/to/target-repo
# Resume scan
python run_audit.py /path/to/target-repo --resumeLimitations
C function pointers : dynamic calls via function pointers cannot be precisely resolved; they are conservatively marked.
C++/Java/C# vtables : virtual calls are handled with a conservative parsing strategy.
Reflection calls : flagged as suspicious; severity depends on context.
C macros : the AST parser does not expand macros, so macro‑embedded bugs may be missed.
Assembly code : not within the analysis scope.
Cross‑translation‑unit inlining (C) : appears as separate functions in the call graph.
For these edge cases the system reports uncertainty to the LLM for judgment instead of producing false‑negative results.
Conclusion
local‑vuln‑research‑pipeline demonstrates an important direction for locally‑run AI‑driven code auditing: exhaustive path enumeration guarantees coverage, while the LLM handles semantic exploitability reasoning. Compared with pure dynamic analysis or rule‑based static scanners, the code‑graph + LLM hybrid achieves a better balance between recall and precision. It enables systematic vulnerability mining of massive codebases without relying on external cloud services.
Project URL: https://github.com/theteatoast/local-vuln-research-pipeline
Signed-in readers can open the original source through BestHub's protected redirect.
This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactand we will review it promptly.
Black & White Path
We are the beacon of the cyber world, a stepping stone on the road to security.
How this landed with the community
Was this worth your time?
0 Comments
Thoughtful readers leave field notes, pushback, and hard-won operational detail here.
