AFL Runner supports a TOML project configuration file that lets you persist all campaign settings alongside your target binaries. On startup,Documentation Index
Fetch the complete documentation index at: https://mintlify.com/0xricksanchez/AFL_Runner/llms.txt
Use this file to discover all available pages before exploring further.
aflr automatically looks for aflr_cfg.toml in the current working directory. If found, its values are loaded and merged with any CLI flags you provide — CLI flags always win over config file values, so you can override individual settings without editing the file. If you want to store your config at a different path or with a different name, pass --config <path> to any aflr subcommand and the file will be loaded from that location instead.
For auto-discovery to work, the file must be named exactly
aflr_cfg.toml and placed in the directory where you invoke aflr. Use --config /path/to/myconfig.toml to load any other file name or location.Configuration sections
The config file is divided into five TOML sections, each corresponding to a logical grouping of options. All keys are optional — omit any key to fall back on the CLI flag or built-in default.[target]
Defines the binary variants AFL Runner will use to build its fuzzing harness. Only path is strictly required; all other binary paths are optional and activate additional instrumentation when provided.
Absolute or relative path to the primary AFL++-instrumented binary. This binary is used by all fuzzer instances that are not assigned a CMPCOV binary. Required for
aflr run and aflr gen.Path to the sanitizer-instrumented binary (e.g. compiled with
AFL_USE_ASAN=1, AFL_USE_UBSAN=1, or combined sanitizers). AFL Runner assigns this binary to a subset of secondary fuzzer instances for enhanced crash detection. Omit if you have not compiled a sanitizer variant.Path to the CMPLOG-instrumented binary (compiled with
AFL_LLVM_CMPLOG=1). AFL Runner automatically assigns the CMPLOG binary to approximately 30% of runner instances, distributing CMPLOG modes (Standard, Extended, Transforms) across them.Path to the CMPCOV / Laf-intel-instrumented binary (compiled with
AFL_LLVM_LAF_ALL=1). AFL Runner assigns this binary to 1–3 instances depending on total runner count. Omit if you have not compiled a CMPCOV variant.Path to the coverage-instrumented binary used exclusively by
aflr cov. This binary should be compiled with LLVM source-based coverage instrumentation (-fprofile-instr-generate -fcoverage-mapping or AFL_LLVM_CPROF=1). It is never passed to afl-fuzz.Arguments to pass to the target binary. Use
@@ as a placeholder where AFL++ should substitute the mutated input file path. For targets that read from stdin, omit @@ entirely — AFL++ pipes input automatically.[coverage]
Controls how aflr cov generates LLVM coverage reports from the AFL++ output directory. These settings are ignored by aflr run and aflr gen.
Output format for the coverage report. Accepted values are
"HTML" and "TEXT". HTML produces an interactive annotated source view; TEXT produces a plain-text summary suitable for CI log output.When
true, AFL Runner generates a separate coverage report for each AFL++ queue sub-directory (one per fuzzer instance) rather than a single unified report over all queues. Useful for comparing per-instance coverage contributions.Extra arguments appended verbatim to the
llvm-cov show invocation. Refer to the llvm-cov show documentation for all available flags.Extra arguments appended verbatim to the
llvm-cov report invocation. Refer to the llvm-cov report documentation for all available flags.[afl_cfg]
Controls the AFL++ campaign parameters: how many processes to launch, where to find inputs and outputs, and which fuzzing strategy to apply.
Total number of
afl-fuzz processes to spawn. In MultipleCores mode, the first instance is the -M main fuzzer and the remaining runners - 1 are -S secondary fuzzers. Defaults to 1 if not specified.Absolute or relative path to a custom
afl-fuzz binary. When omitted, AFL Runner uses whichever afl-fuzz is found on PATH.Path to the seed corpus directory passed to
afl-fuzz -i. Defaults to /tmp/afl_input if not specified and not overridden by CLI.AFL++ output directory passed to
afl-fuzz -o. Crashes, hangs, and queue entries are written here. Defaults to /tmp/afl_output if not specified and not overridden by CLI.Path to an AFL++ token dictionary file passed via
-x. Provides AFL++ with domain-specific tokens (e.g. protocol keywords, file format magic bytes) to improve mutation quality.Raw AFL++ flags appended to every generated
afl-fuzz command verbatim. Use this to pass any afl-fuzz option that AFL Runner does not manage natively, such as a custom title, a fixed PRNG seed, or a timeout multiplier.Strategy mode used to generate AFL++ commands. Accepted values:
"Default", "MultipleCores", "CIFuzzing". Defaults to "MultipleCores" when not specified. See the Fuzzing Modes reference for a full breakdown of each mode.Enable AFL++ Nyx mode by passing
-Y to all fuzzer instances. When true, the target.path must point to a Nyx share directory (a directory, not an executable). CMPLOG and coverage instrumentation are incompatible with Nyx mode and will be rejected at startup.[session]
Controls how AFL Runner manages the multiplexer session that hosts the fuzzer processes.
When
true, AFL Runner prints all generated afl-fuzz commands to stdout without creating a session or executing them. Equivalent to aflr gen. Useful for inspecting the exact command lines that would be run.Custom name for the tmux or screen session created by
aflr run. If not provided, AFL Runner auto-generates a session name. Useful when running multiple campaigns simultaneously on the same host.Multiplexer backend to use for session management. Accepted values:
"tmux" (default) and "screen". The chosen backend must be installed and available on PATH.[misc]
Miscellaneous options that control the AFL Runner launch experience and performance tuning.
When
true, AFL Runner automatically attaches the aflr tui stats display after launching the fuzzing session. Has no effect when dry_run is also true.When
true, AFL Runner starts the fuzzing session without attaching to it. The session runs in the background and can be attached manually with tmux attach or screen -r. Has no effect when dry_run is true.When
true, AFL Runner attempts to create and use a RAM-backed filesystem for AFL++ to store its .cur_input scratch file. This can reduce disk I/O pressure on spinning disks or reduce wear on SSDs during long campaigns.Seed value for the AFL Runner internal PRNG, which governs the randomized distribution of strategies across fuzzer instances. Setting this to a fixed value produces deterministic command generation — given the same seed and runner count, the exact same set of
afl-fuzz commands is always generated.When
true, the seed value from [misc] is also forwarded to every afl-fuzz instance via -s, enabling deterministic AFL++ fuzzing. Has no effect unless seed is also set.Annotated template
The following template lists every supported configuration key with inline comments. Copy it as a starting point and fill in the paths for your target.Two keys differ from the upstream
AFLR_CFG_TEMPL.toml file: the coverage split flag is split_report (singular) and the ramdisk flag is is_ramdisk, matching the exact field names in the Rust structs that serde deserializes into. The upstream template has typos (split_reports and ramdisk) that are silently ignored at parse time.Real-world example: fuzzing xmllint
The following config is from the AFL Runner examples directory. It fuzzesxmllint from libxml2 2.10.0 with 6 runners, all four binary variants, and an XML token dictionary.