ZAP Project Identifies Memory Leak in JavaScript Engine Affecting Active Scans
The OWASP ZAP project has uncovered a memory leak in its embedded JavaScript engine, which maintainers believe has existed for some time but became more widespread following a recent update. The issue surfaced after the introduction of a new JavaScript-based scan rule in the OpenAPI add-on, which increased the frequency and consistency of JavaScript evaluations during active scans.
The vulnerability primarily impacts users running active scans, as the OpenAPI rule triggers repeated JavaScript execution, leading to steadily rising heap usage within the ZAP process. Over time, this can degrade scanner performance, stall scan progress, or cause the JVM to terminate due to memory exhaustion. Users may notice escalating RAM consumption, increased garbage-collection activity, and failures resembling resource exhaustion rather than a single crash.
ZAP maintainers have released a hotfix to address the leak, prioritizing stability for active scans. Until the fix is applied, users can mitigate the issue by updating ZAP and its add-ons, disabling the problematic JavaScript scan rule or the OpenAPI add-on, increasing the JVM heap size (as a temporary measure), or splitting large OpenAPI definitions into smaller scan scopes. Passive scanning remains largely unaffected.
The affected component is the core JavaScript engine, with the OpenAPI add-on’s new scan rule identified as the trigger. The impact is classified as a resource exhaustion issue leading to a local denial-of-service condition. The recommended remediation is to update all components via the ZAP Marketplace.
Source: https://cyberpress.org/owasp-zap-hotfix-js-engine-leak-active-scanning/
OWASP® Foundation cybersecurity rating report: https://www.rankiteo.com/company/owasp
"id": "OWA1769633044",
"linkid": "owasp",
"type": "Vulnerability",
"date": "1/2026",
"severity": "25",
"impact": "1",
"explanation": "Attack without any consequences"{'affected_entities': [{'customers_affected': 'Users running active scans with '
'the OpenAPI add-on',
'industry': 'Cybersecurity',
'name': 'OWASP ZAP Project',
'type': 'Open-source security tool'}],
'attack_vector': 'Local (via JavaScript-based scan rule execution)',
'description': 'The OWASP ZAP project has uncovered a memory leak in its '
'embedded JavaScript engine, which became more widespread '
'following a recent update. The issue surfaced after the '
'introduction of a new JavaScript-based scan rule in the '
'OpenAPI add-on, leading to steadily rising heap usage during '
'active scans. This can degrade scanner performance, stall '
'scan progress, or cause the JVM to terminate due to memory '
'exhaustion.',
'impact': {'downtime': 'Possible scan stalls or JVM termination',
'operational_impact': 'Degraded scanner performance, increased '
'garbage-collection activity',
'systems_affected': 'OWASP ZAP active scan functionality'},
'post_incident_analysis': {'corrective_actions': 'Hotfix released to address '
'the memory leak',
'root_causes': 'Memory leak in the core JavaScript '
'engine triggered by the new '
'JavaScript-based scan rule in the '
'OpenAPI add-on'},
'recommendations': 'Update ZAP and its add-ons, disable the problematic '
'JavaScript scan rule or OpenAPI add-on if necessary, '
'increase JVM heap size as a temporary measure, or split '
'large OpenAPI definitions into smaller scan scopes.',
'references': [{'source': 'OWASP ZAP Project'}],
'response': {'containment_measures': 'Disabling the problematic JavaScript '
'scan rule or OpenAPI add-on, increasing '
'JVM heap size (temporary measure), '
'splitting large OpenAPI definitions '
'into smaller scan scopes',
'recovery_measures': 'Update ZAP and its add-ons via the ZAP '
'Marketplace',
'remediation_measures': 'Hotfix released to address the memory '
'leak'},
'title': 'Memory Leak in JavaScript Engine Affecting Active Scans in OWASP '
'ZAP',
'type': 'Resource Exhaustion',
'vulnerability_exploited': 'Memory leak in embedded JavaScript engine'}