Cookie Consent

By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

deny icon
Deny
allow icon
Accept
All Posts

What's New in Mayhem 2.12

David Brumley
May 19, 2025
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Mayhem for API (MAPI)

Discover APIs: Added new mapi discover command to discover servers, discover API endpoints, and then write out the inferred OpenAPI specification. Options include:

Networks (mapi discover --cidr): Scan a network block. For example,
mapi discover --cidr 192.168.0.0/16 -o output_dir
will scan 192.168.0.0-192.168.255.255 for servers, enumerate endpoints, and save an inferred spec for each host in the output_dir folder.

Domains (mapi discover --domains): Scan a comma-separated list of domains, using OSINT sources like certificate transparency lists to find hosts. For example,
mapi discover --domains foo.com, bar.com --ports 80, 8080 -o output_dir
will discover servers on domains foo.com and bar.com, and check for an API on ports 80 and 8080.

Hosts (mapi discover --hosts): Scans a comma-separated list of hosts to discover API endpoints. For example: mapi discover --hosts 127.0.0.1 --ports 80,8080,443 will scan the three specified ports for

New Checkers: We’ve added new checkers for:

  • XSS vulnerabilities: Detects if the target is vulnerable to Cross-Site Scripting (XSS) attacks by checking if the response type is HTML and contains injected javascript code.
  • Insecure/default credentials: Detects if the API uses insecure credentials, such as ‘admin’:admin'.
  • TLS Security: Checks that TLS is configured properly and securely.
  • New Wizard: Explore and configure a new API target in the UI. You can specify different authentication methods, customizing headers, and configuring advanced settings such as which rules to enable. Once configured, copy-and-paste the generated command line.
  • View/Copy CLI Command: See how a previous run was invoked, and copy-and-paste it to the CLI to reproduce the exact behavior.

Mayhem for Code

Symbolic Execution performance. Improved performance for multi-threaded code.

Improved Golang support. Faster analysis, and fixes a bug where in certain circumstances golang’s signal-based threat preemption would cause the symbolic executor to crash.

Enterprise Management

Superusers can assign users to workspace: Superusers can now assign users directly to a workspace without using the invite process.

Mayhem finds critical issues in BGP!

We are committed to helping make OSS secure. This release we showcase are improved Golang support by finding and responsibly disclosing 4 new CVEs in the popular goBGP package:

Interested in learning more? Contact your CS rep, or sales@mayhem.security.

Share this post

Get a Demo

Or let us know if you have any questions

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
API Security
Code Security

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem

Maximize Code Coverage in Minutes

Mayhem is an award-winning AI that autonomously finds new exploitable bugs and improves your test suites.

Get Mayhem