pip3 install frelatage Current release : 0.0.2

The Python Fuzzer that the world deserves

Installation    |    How it works    |    Features    |    Use Frelatage    |    Configuration

Frelatage is a coverage-based Python fuzzing library which can be used to fuzz python code. The development of Frelatage was inspired by various other fuzzers, including AFL/AFL++, Atheris and PyFuzzer.The main purpose of the project is to take advantage of the best features of these fuzzers and gather them together into a new tool in order to efficiently fuzz python applications.

DISCLAIMER : This project is at the alpha stage and can still cause many unexpected behaviors. Frelatage should not be used in a production environment at this time.


Python 3


Install with pip (recommended)

pip3 install frelatage

Or build from source

Recommended for developers. It automatically clones the main branch from the frelatage repo, and installs from source.

# Automatically clone the Frelatage repository and install Frelatage from source
bash <(wget -q https://raw.githubusercontent.com/Rog3rSm1th/Frelatage/main/scripts/autoinstall.sh -O -)

How it works

The idea behind the design of Frelatage is the usage of a genetic algorithm to generate mutations that will cover as much code as possible. The functioning of a fuzzing cycle can be roughly summarized with this diagram :

graph TB

    m1(Mutation 1) --&gt; |input| function(Fuzzed function)
    m2(Mutation 2) --&gt; |input| function(Fuzzed function)
    mplus(Mutation ...) --&gt; |input| function(Fuzzed function)
    mn(Mutation n) --&gt; |input| function(Fuzzed function)
    function --&gt; generate_reports(Generate reports)
    generate_reports --&gt; rank_reports(Rank reports)  
    rank_reports --&gt; select(Select n best reports)
    select --&gt; |mutate| nm1(Mutation 1) &amp; nm2(Mutation 2) &amp; nmplus(Mutation ...) &amp; nmn(Mutation n)
    subgraph Cycle mutations
    direction LR
    subgraph Next cycle mutations
    direction LR
    style function fill:#5388e8,stroke:white,stroke-width:4px


Fuzzing different argument types:

  • String
  • Int
  • Float
  • List
  • Tuple
  • Dictionary

File fuzzing

Frelatage allows to fuzz a function by passing a file as input.

Use Frelatage

Fuzz a classical parameter

import frelatage
import my_vulnerable_library

def MyFunctionFuzz(data):

input = frelatage.Input(value="initial_value")
f = frelatage.Fuzzer(MyFunctionFuzz, [input])

Fuzz a file parameter

Frelatage gives you the possibility to fuzz file type input parameters. To initialize the value of these files, you must create as many files in the input folder as there are arguments of type file. These files must be named as follows: the first file argument must be named 0, the second 1, and so on.

In case we have only one input file, we can initialize it like this:

echo "initial value" > ./in/0

And then run the fuzzer:

import frelatage
import my_vulnerable_library

def MyFunctionFuzz(data):

input = frelatage.Input(file=True)
f = frelatage.Fuzzer(MyFunctionFuzz, [input])

Fuzz with a dictionary

You can copy one or more dictionaries located here in the directory dedicated to dictionaries (./dict by default).


Each crash is saved in the output folder (./out by default), in a folder named : id<crash ID>,err<error type>.

The report directory is in the following form:

    ├── out
    │   ├── id<crash ID>,err<error type>
    │       ├── input
    │       ├── 0
    │       └── ...
    │   ├── ...

Read a crash report

Inputs passed to a function are serialized using the pickle module before being saved in the <report_folder>/input file. It is therefore necessary to deserialize it to be able to read the contents of the file. This action can be performed with this script.

./read_report.py input


There are two ways to set up Frelatage:

Using the environment variables

ENV Variable Description Possible Values Default Value
FRELATAGE_DICTIONARY_ENABLE Enable the use of mutations based on dictionary elements 1 to enable, 0 otherwise 1
FRELATAGE_TIMEOUT_DELAY Delay in seconds after which a function will return a TimeoutError 120 2
FRELATAGE_INPUT_FILE_TMP_DIR Temporary folder where input files are stored absolute path to a folder, e.g. /tmp/custom_dir /tmp/frelatage
FRELATAGE_INPUT_MAX_LEN Maximum size of an input variable in bytes 41000000 4094
FRELATAGE_MAX_THREADS Maximum number of simultaneous threads 850 8
FRELATAGE_DICTIONARY_DIR Default directory for dictionaries. It needs to be a relative path (to the path of the fuzzing file) relative path to a folder, e.g. ./dict ./dict

A configuration example :

export FRELATAGE_INPUT_FILE_TMP_DIR="/tmp/frelatage" &&
python3 fuzzer.py

Passing arguments to the fuzzer

import frelatage 

def myfunction(input1_string, input2_int):

input1 = frelatage.Input(value="initial_value")
input2 = frelatage.Input(value=2)

f = frelatage.Fuzzer(
    # The method you want to fuzz
    # The initial arguments
    arguments=[input1, input2],
    # Number of threads
    # Exceptions that will be taken into account
    # Exceptions that will not be taken into account
    # Directory where the error reports will be stored
    # Directory containing the initial input files
    # Enable or disable silent mode


Please keep in mind that, similarly to many other computationally-intensive tasks, fuzzing may put strain on your hardware and on the OS. In particular:

  • Your CPU will run hot and will need adequate cooling. In most cases, if cooling is insufficient or stops working properly, CPU speeds will be automatically throttled. That said, especially when fuzzing on less suitable hardware (laptops, smartphones, etc), it’s not entirely impossible for something to blow up.

  • Targeted programs may end up erratically grabbing gigabytes of memory or filling up disk space with junk files. Frelatage tries to enforce basic memory limits, but can’t prevent each and every possible mishap. The bottom line is that you shouldn’t be fuzzing on systems where the prospect of data loss is not an acceptable risk.

  • Fuzzing involves billions of reads and writes to the filesystem. On modern systems, this will be usually heavily cached, resulting in fairly modest “physical” I/O – but there are many factors that may alter this equation. It is your responsibility to monitor for potential trouble; with very heavy I/O, the lifespan of many HDDs and SSDs may be reduced.

    A good way to monitor disk I/O on Linux is the ‘iostat’ command:

    $ iostat -d 3 -x -k [...optional disk ID...]


for any remark, suggestion, bug report, or if you found a bug using Frelatage, you can contact me at [email protected] or on twitter @Rog3rSm1th


View Github