The ZAP (Zed Attack Proxy) project, a widely used open-source web application security scanner, has disclosed a critical memory leak in its JavaScript engine.
This flaw, likely present for some time, now disrupts active scanning workflows following the introduction of a new JavaScript scan rule in the OpenAPI add-on.
Security teams relying on ZAP for dynamic application security testing (DAST) face potential denial-of-service-like conditions during scans.
ZAP maintainers issued the alert on January 28, 2026, emphasizing urgent remediation efforts. The memory leak manifests during active scans, where the JavaScript engine fails to properly deallocate resources, leading to rapid memory exhaustion.
This issue gained prominence after the OpenAPI add-on’s recent update incorporated the problematic JS scan rule, amplifying resource consumption in automated testing pipelines.
At its core, the vulnerability stems from inefficient memory handling within ZAP’s JavaScript engine, possibly tied to long-running script executions or unhandled garbage collection in scan rules.
Active scans ZAP’s hallmark feature for probing web apps via automated attacks like SQL injection and XSS trigger the leak when processing OpenAPI specifications with embedded JavaScript logic.
Impacts include:
- Crashes or hangs in scanning sessions, halting vulnerability discovery.
- Elevated resource usage on scanning hosts, risking broader infrastructure strain in CI/CD environments.
- Delayed security assessments for DevSecOps teams using ZAP in Docker or standalone deployments.
The flaw does not expose scanned applications to exploits but undermines ZAP’s reliability as a security tool, potentially delaying patch identification in production-like environments.
Mitigation and Release Updates
To curb immediate risks, the OpenAPI add-on has been patched to disable the offending JS scan rule by default. Users must update to the latest version for this workaround. Nightly and weekly ZAP releases are now available with the fix, alongside refreshed Docker images for weekly and live channels.
| Release Type | Status | Update Advice |
|---|---|---|
| Nightly | Updated | Pull latest for testing |
| Weekly | Updated | Recommended for production scans |
| Docker (Weekly/Live) | Updated | Rebuild containers promptly |
| Stable | Pending | Monitor for underlying fix |
Developers should verify installations via zaproxy –version and re-enable the rule only post-root fix.
ZAP maintainers are prioritizing a permanent resolution to the JavaScript engine leak, with ongoing commits expected soon. This incident underscores the challenges of integrating dynamic scripting in security tools, where performance bugs can cascade into operational vulnerabilities.
Security professionals are advised to monitor ZAP’s GitHub repository and announcements for the stable release. In the interim, fallback to passive scans or alternative tools like Burp Suite may bridge gaps.
Recently he Zed Attack Proxy (ZAP) team has released the OWASP PTK add-on, version 0.2.0 alpha, integrating the OWASP Penetration Testing Kit (PTK) browser extension directly into ZAP-launched browsers.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
