42Crunch Platform release, September 11, 2025

This 42Crunch API Security Platform release introduces a new name and capabilities to our scan feature.

New features

The following are the new features and improvements to the existing ones in this release.

Rebranded API Scan

Our scan feature just got better: instead of just conformance scan, you can now use it to run different types of scan. To reflect this, we have rebranded our scan feature to API Scan.

The underlying scan engine is the same, and you can still choose between the Scan v1 and v2 like before. The existing conformance scan has been retained as is and you can still use API Scan to run your existing scan configurations. However, if you choose to use Scan v2 engine, in addition to conformance scan you can now also run drift scans.

The screenshot shows an example of the API summary tab of an API, with an overview of results from both API Security Audit and API Scan.

Introducing drift scan

API drift happens when uncontrolled additional development over time causes APIs to deviate from their initial documented API contract. This can lead to high technical debt, dissatisfied API consumers, and can also be outright dangerous, allowing attacks through malicious input or unauthorized access.

This is where a drift scan comes in. Drift scan is a light-weight, non-invasive scan that API Scan runs to detect API drift and ensure that your operational application infrastructure does not change without notice behind your back. This allows you to make sure that the documented API contract continues to evolve hand-in-hand with the overall API implementation.

Drift scan is based on a subset of conformance scan, but it is by default non-invasive: a drift scan only sends GET requests and thus does not do any real fuzzing, to avoid causing issues to operational systems. This allows using drift scan as a monitoring tool for live applications already in production, as well as including also 3rd party APIs your APIs integrate with.

For more details, see Drift scan. We will continue to improve drift scan and introduce more scan types in future releases.

Improvements to scan reports

When downloading a large (over 20 MB) scan report, you can now choose what to you want to export:

  • Unformatted JSON: Exports the full scan report without any formatting, such as line breaks or whitespace. The file size is smaller, but the results are not as human-readable.
  • Formatted JSON: Exports the full scan report formatted for better readability. Because formatting information is included in the exported file, the file size is a bit larger than unformatted JSON.
  • CSV: Exports a list of issues that the scan found as CSV. This is the most light-weight version, but it does not export the full report.

We have also improved the experience with larger Scan v1 reports. If instead of downloading the scan report you choose to try viewing them on the platform UI, you do not have to stay on the report page: you can navigate to another place in the same API and the loading process will continue in the background. The UI will store up to five large reports in memory so that you do not necessarily have to reload the report every time you come back to view it.

For normal (under 20 MB) Scan v2 reports, operations that were not tested in the scan (for example, those with an unsupported content type) are included in the Test type filter, so that you can home in on them. If you have defined any unhappy path scenarios in your scan configuration, you can also find them from this filter.

The screenshot shows filtering the scan report based on the test type. The list of types to filter with has been clicked open and two of the available test types have been selected: operations not tested and unhappy path.

Other improvements

As complex scan configurations can take a long time to finish, we have introduced some safeguards to the configuration creation:

  • Only one scan configuration process per API UUID: If you have started scan configuration generation for a particular API and you try to generate another configuration for the same API while the first process is still running, you get an error and the process for the second configuration is not started. Only after the first process finishes can another process be started.
  • Maximum duration for configuration generation: To avoid the scan configuration process running forever, we have introduced a maximum duration for the scan configuration generation. If the configuration process has not finished in 15 minutes, the process terminates with an error and no configuration is created. This allows ample time for generating complex configurations, but also acts as a safeguard to avoid blocking further configuration generation.

In addition, audit reports exported from the platform now include the date and time when the report was generated, just like when viewed on the UI.

Compatibility

This section lists the compatible Docker images for some of the components of 42Crunch API Security Platform, as well as other possible compatibility details.

API Firewall images

This release is compatible with the following API Firewall images:

  • NEW: 42crunch/apifirewall:v1.1.13
    • Upgrade to httpd-2.4.65 (CVE-2025-53020, CVE-2025-49812, CVE-2025-49630, CVE-2025-23048, CVE-2024-47252, CVE-2024-43394, CVE-2024-43204, CVE-2024-42516, CVE-2025-54090)

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/apifirewall:v1.1.12
    • Fixed handling of schema validating errors
    • Upgrade to go-1.24.4 (CVE-2024-45338)
    • Upgrade to go-grpc 1.73.0
  • 42crunch/apifirewall:v1.1.11
    • Fixed resource consumption on graceful restart
  •  42crunch/apifirewall:v1.1.9
    • Upgrade to expat 2.7.0-r0 (CVE-2024-8176)
    • Upgrade to golang.org/x/net 0.36.0 (CVE-2025-22870)
  • 42crunch/apifirewall:v1.1.8
    • Upgrade to openssl-3.3.3 (CVE-2024-12797, CVE-2024-13176)
  • 42crunch/apifirewall:v1.1.7
    • Fixed the failure in forwarding large request bodies
    • Upgrade to go-1.23.4 (CVE-2024-45338)
  • 42crunch/apifirewall:v1.1.6
    • Upgrade to openssl-3.3.2-r1 (CVE-2024-9143)
  • 42crunch/apifirewall:v1.1.5
    • Switch to the system certificate store to fix certificate authority renewal issue

All previous image versions have been deprecated and are no longer supported. We highly recommend that you switch to the latest image version to take the full advantage of the new features and security improvements.

When you switch the version of the API Firewall image, you must reconfigure any existing protection configurations so that they work with the new version. For more details, see Reconfigure API Protection.

API Scan images

This release is compatible with the following API Scan images for running it on-premises.

We have aligned the scan image version numbering with the version of the platform release, and from now on the minor version number will be the same as the platform release. The major release number will still indicate if the image is for Scan v1 or Scan v2.

Scan v2

  • NEW: 42crunch/scand-agent:v2.49.0
    • Support for drift scan

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v2.48.0
    • Ignore unsupported operations during scan
    • Fixed calculation of estimated tests and executed tests
    • Fixed variable replacement in Scan v2 in v1-compatible mode
  • 42crunch/scand-agent:v2.47.0
    • Ignore unsupported methods
    • X-Scan-Transactionid included in every request
    • Upgrade to chi v5.2.2 (CWE-601)
  • 42crunch/scand-agent:v2.46.3
    • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
  • 42crunch/scand-agent:v2.46.1
    • Scan rules defined in the platform taken into account in scans
    • URL normalization
  • 42crunch/scand-agent:v2.45.0
    • Upgrade to Golang 1.24.2 (CVE-2025-22871)
    • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)
  • 42crunch/scand-agent:v2.0.21
    • Support for OWASP API Security Top 10 2023
    • Sub-schemas from anyOf constructions excluded from testing
    • Improved generation of Boolean values in tests
    • Upgrade to golang-jwt/jwt/v5 v5.2.2 (CVE-2025-30204)
    • Upgrade to go-redis/v9 v9.7.3 (CVE-2025-29923)
    • Upgrade to kin-openapi v0.131.0 (CVE-2025-30153)
  • 42crunch/scand-agent:v2.0.20
    • Fixed response validation on arrays
    • Upgrade to golang.org/x/net v0.37.0 (CVE-2025-22870)
  • 42crunch/scand-agent:v2.0.19
    • Initial support for the OAS v3.1 in API Scan
    • Improved .p12 support
    • Upgrade to golang.org/x/oauth2 v0.25.0 (CVE-2025-22868)
    • Upgrade to golang.org/x/crypto v0.33.0 (CVE-2025-22869)
  • 42crunch/scand-agent:v2.0.18
    • Fixed handling of empty scenario list in the lax scanning mode
    • Increased maximum number of items in generated arrays
  • 42crunch/scand-agent:v2.0.17
    • Upgrade to go-git v5.13.1 (CVE-2025-21613, CVE-2025-21614)
    • Upgrade to nanoid v3.3.8 (CVE-2024-55565)
    • Upgrade to golang.org/x/net v0.33.0 (CVE-2024-45338)
    • Upgrade to golang.org/x/crypto v0.31.0 (CVE-2024-45337)
  •  42crunch/scand-agent:v2.0.15
    • Fixed replacement of placeholder texts in variables when generating test requests
    • Fixed generation of properties in test requests
    • Fixed regression on null enums
  • 42crunch/scand-agent:v2.0.13
    • A new property in the scan report to indicate if running a scan test succeeded or not
  • 42crunch/scand-agent:v2.0.12
    • Fixed scan report timestamp
  • 42crunch/scand-agent:v2.0.11
    • Upgrade to Golang v1.23.1 (CVE-2022-30635, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158)
  • 42crunch/scand-agent:v2.0.10
    • New test response-body-badformat-scan
    • Fixed scan configuration creation when items is null
    • Fixed excessive data exposure reporting
  • 42crunch/scand-agent:v2.0.9
    • Scan v2 in v1-compatible mode
    • Support for Accept headers
    • Upgrade to Golang 1.22.5 (CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)
  • 42crunch/scand-agent:v2.0.8
    • New test path-item-method-not-allowed-no-authn-scan
    • Support for apiConnectivityCheck, maxTimeoutRetryAttempts, and requestHeaderNameRequestType
    • Fixed implementation of reportIncludeRequestBody and reportIncludeResponseBody
    • Fixed handling of lookahead and lookbehind assertion references in regular expressions
  • 42crunch/scand-agent:v2.0.7
    • Upgrade to Golang 1.22.3 (CVE-2020-8559, CVE-2024-24788)
  • 42crunch/scand-agent:v2.0.6
    • Lax testing mode
    • Fixed generating conformance test requests when multiple required properties are defined
  • 42crunch/scand-agent:v2.0.4
    • Numeric values exceeding the limits of float64 presented as strings
  • 42crunch/scand-agent:v2.0.3
    • Upgrade to Golang 1.21.5 (CVE-2023-45284, CVE-2023-45283, CVE-2023-39326, CVE-2023-45283)
    • New scan report
    • Tests parameter-header-contenttype-wrong-scan and partial-security-accepted
    • Support for reportIncludeRequestBody, reportIncludeResponseBody, reportMaxRequestSizeHappyPath, reportMaxRequestSizeTest
    • Improved logging for runtime limit
    • Heartbeat check

All previous image versions have been deprecated and are no longer supported.

Scan v1

  • NEW: 42crunch/scand-agent:v1.49.0
    • Internal cleanup and refactoring

We highly recommend that you switch to the latest image version to take full advantage of the new features and security improvements. The following previous images remain compatible and can be used with this platform release:

  • 42crunch/scand-agent:v1.48.0
    • Fixed scan report size checks
  • 42crunch/scand-agent:v1.47.0
    • Ignore unsupported HTTP methods
    • X-Scan-Transactionid included in every request
    • Upgrade to chi v5.2.2 (CWE-601)
  •  42crunch/scand-agent:v1.46.3
    • Upgrade to Golang 1.24.4 (CVE-2025-0913, CVE-2025-22874, CVE-2025-4673)
  • 42crunch/scand-agent:v1.46.0
    • Internal cleanup and refactoring
  • 42crunch/scand-agent:v1.45.0
    • Upgrade to Golang 1.24.2 (CVE-2025-22871)
    • Upgrade to golang.org/x/net v0.39.0 (CVE-2025-22872)
  • 42crunch/scand-agent:v1.22.27
    • Support for OWASP API Security Top 10 2023
    • Sub-schemas from anyOf constructions excluded from testing
    • Improved generation of Boolean values in tests
    • Upgrade to golang-jwt/jwt/v5 v5.2.2 (CVE-2025-30204)
    • Upgrade to go-redis/v9 v9.7.3 (CVE-2025-29923)
    • Upgrade to kin-openapi v0.131.0 (CVE-2025-30153)
  • 42crunch/scand-agent:v1.22.25
    • Initial support for the OAS v3.1 in API Scan
    • Improved .p12 support
    • Upgrade to golang.org/x/oauth2 v0.25.0 (CVE-2025-22868)
    • Upgrade to golang.org/x/crypto v0.33.0 (CVE-2025-22869)
  • 42crunch/scand-agent:v1.22.24
    • Fixed handling of nullable enums and empty strings
    • Increased maximum number of items in generated arrays
  • 42crunch/scand-agent:v1.22.23
    • Upgrade to go-git v5.13.1 (CVE-2025-21613, CVE-2025-21614)
    • Upgrade to nanoid v3.3.8 (CVE-2024-55565)
    • Upgrade to golang.org/x/net v0.33.0 (CVE-2024-45338)
    • Upgrade to golang.org/x/crypto v0.31.0 (CVE-2024-45337)
  • 42crunch/scand-agent:v1.22.21
    • Default value maximum scan report size 20 MB to align with Scan v2
  • 42crunch/scand-agent:v1.22.20
    • Fixed excessive data exposure reporting
  • 42crunch/scand-agent:v1.22.19
    • Upgrade to Golang v1.23.1 (CVE-2022-30635, CVE-2024-34155, CVE-2024-34156, CVE-2024-34158)
    • Happy path tests included in the number of tests
  • 42crunch/scand-agent:v1.22.18
    • Fixed scan configuration creation when items is null
  • 42crunch/scand-agent:v1.22.17
    • Upgrade to Golang 1.22.5 (CVE-2024-24789, CVE-2024-24790, CVE-2024-24791)
  • 42crunch/scand-agent:v1.22.16
    • Upgrade to Golang 1.22.3 (CVE-2020-8559, CVE-2024-24788)
  • 42crunch/scand-agent:v1.22.15
    • Fixed handling of query parameters in request generation
    • Fixed generating conformance test requests when multiple required properties are defined
  • 42crunch/scand-agent:v1.22.14
    • Upgrade to Golang 1.21.5 (CVE-2023-39326, CVE-2023-45283)
  • 42crunch/scand-agent:v1.22.13
    • Upgrade to Golang 1.21.3 (CVE-2023-45284, CVE-2023-45283)
    • Heartbeat check to keep the connection to 42Crunch Platform active in case of extremely long scans
    • Fixed handling of example and x-42c-sample
  • 42crunch/scand-agent:v1.22.12
    • Support for text/plain as content type
    • Support for read-only properties
  • 42crunch/scand-agent:v1.22.11
    • Upgrade to Golang 1.20.7 (CVE-2023-39319, CVE-2023-39318, CVE-2023-3978, CVE-2023-29409)
    • Fixed handling of < and > characters in the request payload
    • Improved handling of content not supported by API Scan
  • 42crunch/scand-agent:v1.22.9
    • Performance improvements to scan configuration generation
    • Better memory handling when generating array items of the type file for scan requests
    • Better handling of expired customization rules
    • Improved JSON schema validation for UTF-8 strings
  • 42crunch/scand-agent:v1.22.8
    • Upgrade to Golang 1.20.4 (CVE-2022-41716, CVE-2022-41717, CVE-2022-41720, CVE-2022-41722, CVE-2022-41723, CVE-2022-41724, CVE-2022-41725, CVE-2023-24532, CVE-2023-24534, CVE-2023-24536, CVE-2023-24537, CVE-2023-24538, CVE-2023-24539, CVE-2023-24540, CVE-2023-29400)
  • 42crunch/scand-agent:v1.22.7
    • Updates to regular expression library
  • 42crunch/scand-agent:v1.22.6
    • Fixed regular expressions handling

      In some rare cases, certain regular expression patterns could send the on-premises scan to an infinite loop, and the process would not finish. This image version fixes that, so if you are experiencing on-premises scan hanging, we recommend upgrading from the previous scan images to this one.

  • 42crunch/scand-agent:v1.22.4
    • Improved array iteration

All previous image versions have been deprecated and are no longer supported.

Known issues

This release has the following known issues.

Manage teams permission not shown on list of users

The permission to manage teams is not yet shown on the list of users in your organization, but you can view all permissions that a user has by clicking the permission column. This permission also does not yet have a shortcut that you could use when searching by permission.

These will be fixed in a future release.

Changing tagging on an API may trigger an unrelated error on the UI

Sometimes applying tags to or removing them from an API may trigger an unrelated error on failing to fetch the SQG approval report for the API. This happens if the API in question has been scanned on-premises and the scan has finished after you arrived on the API Summary page, because the UI cannot find the latest on-premises scan report and the associated approval report. Refreshing the page gets the latest reports and resolves the issue.

Tagging and untagging the API is not affected by this error: tags get correctly applied and removed in any case.

This will be fixed in a future release.

Data dictionary duplication

Duplicating a data dictionary does not yet duplicate the values in it.

This will be fixed in a future release.

Scan customization rules may lead to no response codes being accepted.

In some cases, scan rules can lead to HTTP status response codes in API responses that are normally expected (for example, HTTP 401 or HTTP 404) to be treated as unexpected. This in turn can lead to a false positive in the scan results.

By default, the expected HTTP status response codes that are defined in scan rules applied to the scanned API take preference over the response codes that API Scan would otherwise expect. However, this can cause problems in scan process if your scan rule only skips header or response body analysis but does not define any expected response codes, either for happy path requests or for particular test IDs. This results in the scan rule to have null defined as the expected response code, and because the scan rule takes preference over the default scan behavior, no response codes except null are accepted. This in turn means that some tests are incorrectly flagged as returning unexpected response codes when they were in fact successful.

We are currently investigating the best way how to reconcile the designed behavior of API Scan and scan rules in these cases, and this issue will be fixed in a future release.