Critical Memory Leak in ZAP’s JavaScript Engine Disrupts Active Scanning
The Zed Attack Proxy (ZAP), a widely utilized open-source web application security scanner, has recently identified a significant memory leak within its JavaScript engine. This issue, potentially existing for an extended period, has become particularly problematic following the integration of a new JavaScript scan rule in the OpenAPI add-on. As a result, security teams employing ZAP for dynamic application security testing (DAST) may encounter conditions akin to denial-of-service during their scanning processes.
On January 28, 2026, ZAP’s maintainers issued an alert emphasizing the urgency of addressing this flaw. The memory leak occurs during active scans when the JavaScript engine fails to adequately release resources, leading to rapid memory depletion. The recent update to the OpenAPI add-on, which introduced the problematic JavaScript scan rule, has exacerbated this issue, increasing resource consumption in automated testing environments.
The root cause of this vulnerability lies in inefficient memory management within ZAP’s JavaScript engine. This inefficiency may be associated with prolonged script executions or unhandled garbage collection processes within scan rules.
Active scanning, a core feature of ZAP that involves automated attacks such as SQL injection and cross-site scripting (XSS), triggers the memory leak when processing OpenAPI specifications containing embedded JavaScript logic. The repercussions of this flaw include:
– Crashes or freezes during scanning sessions, impeding the identification of vulnerabilities.
– Increased resource utilization on scanning systems, potentially straining infrastructure in continuous integration and continuous deployment (CI/CD) environments.
– Delays in security assessments for DevSecOps teams utilizing ZAP in Docker or standalone configurations.
While this vulnerability does not expose the applications being scanned to direct exploits, it undermines ZAP’s reliability as a security tool, potentially delaying the detection of patches in production-like settings.
Mitigation and Release Updates
To mitigate immediate risks, the OpenAPI add-on has been updated to disable the problematic JavaScript scan rule by default. Users are advised to update to the latest version to implement this workaround. Additionally, nightly and weekly ZAP releases now include the fix, with updated Docker images available for both weekly and live channels.
| Release Type | Status | Update Advice |
|———————-|———-|——————————–|
| Nightly | Updated | Pull the latest version for testing |
| Weekly | Updated | Recommended for production scans |
| Docker (Weekly/Live) | Updated | Rebuild containers promptly |
| Stable | Pending | Monitor for the forthcoming fix |
Developers should verify their installations using the command `zaproxy –version` and re-enable the JavaScript scan rule only after the underlying issue has been resolved.
The ZAP development team is prioritizing a permanent solution to the JavaScript engine memory leak, with ongoing updates expected in the near future. This incident highlights the complexities involved in integrating dynamic scripting within security tools, where performance issues can escalate into operational vulnerabilities.
Security professionals are encouraged to monitor ZAP’s GitHub repository and official announcements for updates regarding the stable release. In the interim, utilizing passive scans or alternative tools such as Burp Suite may serve as temporary solutions.
Recently, the ZAP team released the OWASP Penetration Testing Kit (PTK) add-on, version 0.2.0 alpha, which integrates the OWASP PTK browser extension directly into browsers launched by ZAP.
