ChainFuzzer: Greybox Fuzzing for Workflow-Level Multi-Tool Vulnerabilities in LLM Agents

A team of researchers has unveiled ChainFuzzer, a novel security framework designed to find dangerous vulnerabilities in LLM agents that use multiple tools in sequence. The core problem is that as agents like AutoGPT or custom workflows chain tools together, data from one tool can flow to another, creating exploitable 'source-to-sink' dataflows that only emerge through tool composition. Existing security tests that focus on single tools in isolation miss these complex, long-horizon attack vectors entirely.

ChainFuzzer automates the discovery process in three key stages. First, it identifies high-risk operations and extracts plausible upstream tool chains based on cross-tool dependencies, achieving 91.50% precision. Second, its Trace-guided Prompt Solving (TPS) module synthesizes stable prompts that reliably drive the agent to execute the target chains, increasing reachability from 27.05% to 95.45%. Finally, it performs guardrail-aware fuzzing, mutating payloads and using sink-specific checks to reproduce vulnerabilities even when LLM safety filters are active, boosting the trigger rate from 18.20% to 88.60%.

In a major evaluation, ChainFuzzer was tested on 20 popular open-source LLM agent applications encompassing 998 individual tools. The framework extracted 2,388 candidate tool chains, synthesized 2,213 stable prompts, and ultimately confirmed 365 unique, reproducible vulnerabilities across 19 of the 20 apps. Critically, 302 of these vulnerabilities required multi-tool execution to trigger, demonstrating the unique threat landscape of composed workflows. The researchers note ChainFuzzer achieves a finding rate of 3.02 vulnerabilities per 1 million tokens processed, establishing it as a scalable tool for developers and security teams.