# Install wuppiefuzz with Homebrew

Coverage-guided REST API fuzzer developed on top of LibAFL. Version 1.6.0 via Homebrew; verified 2026-06-25.

## Install

```sh
sudo av install brew:wuppiefuzz
```

Additional install commands:

### macOS

- Homebrew (100%):

```sh
brew install wuppiefuzz
```

  Evidence: local Homebrew formula metadata

## Package facts

- **Package key:** brew:wuppiefuzz
- **Package manager:** Homebrew
- **Package manager page:** <https://formulae.brew.sh/formula/wuppiefuzz>
- **Version:** 1.6.0
- **Source summary:** Coverage-guided REST API fuzzer developed on top of LibAFL
- **Homepage:** <https://github.com/TNO-S3/WuppieFuzz>
- **Repository:** <https://github.com/TNO-S3/WuppieFuzz>
- **Upstream docs:** <https://github.com/TNO-S3/WuppieFuzz#readme>
- **License:** Apache-2.0
- **Source archive:** <https://github.com/TNO-S3/WuppieFuzz/releases/download/v1.6.0/source.tar.gz>
- **Last updated:** 2026-06-25T20:42:36Z
- **Generated:** 2026-07-08T07:18:31+00:00

## Executables

- wuppiefuzz (cli)
- wuppiefuzz (alias)

## Dependencies

- z3

## Build dependencies

- cmake
- pkgconf
- rust

## Uses from macOS

- sqlite

## Install behavior

- Post-install hook: not defined
- Bottle: available on arm64_linux, arm64_sequoia, arm64_sonoma, arm64_tahoe, sonoma, x86_64_linux

## Freshness

- Page generated: 2026-07-08
- Package-manager version: 1.6.0
- Package-manager updated: 2026-06-25
- Local data: ok
- Upstream repository: https://github.com/TNO-S3/WuppieFuzz
- info: No cached GitHub release or tag data was available.
## Project history and usage

WuppieFuzz is TNO's open-source, coverage-guided REST API fuzzer built on LibAFL. The project targets black-box, grey-box, and white-box testing and emphasizes ease of use, explainable findings, and modularity.

### Project history

The project is developed under the TNO-S3 GitHub organization and is implemented primarily in Rust. Its README presents WuppieFuzz as a practical REST API fuzzing tool, while its academic publication frames it as coverage-guided, stateful REST API fuzzing driven by OpenAPI specifications and REST-specific mutators.

The tool's research context is modern API security. The TNO repository and 2025/2026 publication describe a workflow in which an OpenAPI specification seeds request sequences, LibAFL and REST-specific mutation explore behavior, and coverage measurements guide which request sequences are sent next to reach complex application states.

### Adoption history

WuppieFuzz has moved beyond a repository-only release into security tooling visibility: its README lists media coverage, a ONE Conference e-magazine feature, an OpenAPI.tools listing, a Nordic APIs talk, and a Thoughtworks Technology Radar mention. The preferred citation points to the ICISSP 2026 proceedings, giving it both an open-source and research footprint.

### How it is used

Users run WuppieFuzz against a target application and provide an OpenAPI specification so the fuzzer can generate and mutate requests. For coverage-guided setups, the README shows passing coverage configuration such as JaCoCo data for a Java target; the paper also describes harness automation and reports that help developers fix bugs.

### Why package nerds care

For security package collections, WuppieFuzz is notable because it brings LibAFL-style coverage-guided fuzzing into the REST API space instead of staying at the binary or library fuzzing layer. It sits near OpenAPI tooling, API security testing, Rust fuzzing infrastructure, and developer-friendly security automation.

### Timeline

- 2024: Project media coverage and conference visibility begin appearing in the upstream README.
- 2025: TNO's publication record lists WuppieFuzz as a conference paper.
- 2025-12-17: The WuppieFuzz paper is submitted to arXiv.
- 2026: The README identifies WuppieFuzz v1.6.0 and cites the ICISSP 2026 proceedings.

### Related projects

- WuppieFuzz is built on LibAFL and is comparable to other REST API fuzzers and API testing tools that consume OpenAPI specifications. The paper explicitly discusses black-box, grey-box, and white-box API fuzzing in relation to existing approaches such as EvoMaster.

### Sources

- <https://arxiv.org/abs/2512.15554>
- <https://github.com/TNO-S3/WuppieFuzz>
- <https://repository.tno.nl/SingleDoc?docId=81140>


## Security Notes

No matching local secret-handling manifest was found for wuppiefuzz. Nucleus package metadata is still published here so future coverage has a stable package URL.



## Configuration and credential file locations

These source-backed paths show where this package keeps local settings or durable credentials. Automic Vault can use them as review targets for secret scanning, migration, and command approval.


## Configuration files

- Unix: config.yaml
## Source Database Details

- **Source Database:** Homebrew formula API
- **Tap:** homebrew/core
- **Full Name:** wuppiefuzz
- **Version Scheme:** 0
- **Revision:** 0
- **Bottle Stable Root URL:** <https://ghcr.io/v2/homebrew/core>
- **Deprecated:** no
- **Disabled:** no
- **Keg Only:** no
- **URL Keys:** stable


## Related links

- [Cloud CLI packages](https://www.automicvault.com/pkg/cloud-clis/) - Belongs to a cloud or infrastructure command family.
- [Source-control packages](https://www.automicvault.com/pkg/source-control-tools/) - Belongs to a source-control command family.
- [Terminal utility packages](https://www.automicvault.com/pkg/terminal-utilities/) - Matched terminal and command-line workflow metadata.
- [Language runtime packages](https://www.automicvault.com/pkg/language-runtime-packages/) - Matched language runtime, compiler, or interpreter metadata.
- [z3](https://www.automicvault.com/pkg/brew/z3/) - Runtime dependency declared by Homebrew.
- [cmake](https://www.automicvault.com/pkg/brew/cmake/) - Build dependency declared by Homebrew.
- [pkgconf](https://www.automicvault.com/pkg/brew/pkgconf/) - Build dependency declared by Homebrew.
- [rust](https://www.automicvault.com/pkg/brew/rust/) - Build dependency declared by Homebrew.
- [h26forge](https://www.automicvault.com/pkg/brew/h26forge/) - Shares av.db curated category or tags: cli, fuzzing, rust, security, security-testing.
- [afl++](https://www.automicvault.com/pkg/brew/afl/) - Shares av.db curated category or tags: cli, fuzzing, security, security-testing, testing.
- [echidna](https://www.automicvault.com/pkg/brew/echidna/) - Shares av.db curated category or tags: cli, fuzzing, security, security-testing, testing.
- [ffuf](https://www.automicvault.com/pkg/brew/ffuf/) - Shares av.db curated category or tags: cli, fuzzing, security.
- [medusa](https://www.automicvault.com/pkg/brew/medusa/) - Shares av.db curated category or tags: cli, fuzzing, security, security-testing.
- [radamsa](https://www.automicvault.com/pkg/brew/radamsa/) - Shares av.db curated category or tags: cli, fuzzing, security, security-testing.
- [slowhttptest](https://www.automicvault.com/pkg/brew/slowhttptest/) - Shares av.db curated category or tags: cli, security, security-testing, testing.
- [jwt-hack](https://www.automicvault.com/pkg/brew/jwt-hack/) - Shares av.db curated category or tags: cli, security, testing.

## Combined YAML source

View the package source record on GitHub. [combined/wuppiefuzz.yml](https://github.com/automic-vault/db/blob/main/combined/wuppiefuzz.yml)


## Sources

- Nucleus package database
- Geiger risk classifier
- package-page enrichment
- curated configuration and credential file locations
- curated package history
- package version freshness
- av.db category and tag curation
- package relationship graph
- cross-ecosystem install command graph
