A significant memory leak in the JavaScript engine of the popular open-source web application security scanner ZAP (Zed Attack Proxy) has been made public This article explores vulnerability zap javascript. . After a new JavaScript scan rule was added to the OpenAPI add-on, this vulnerability—which has probably existed for a while—now interferes with active scanning workflows.

During scans, security teams using ZAP for dynamic application security testing (DAST) may encounter denial-of-service-like circumstances. On January 28, 2026, ZAP maintainers issued the alert, highlighting the need for immediate remediation. The JavaScript engine's improper resource deallocation during active scans causes memory exhaustion, which is how the memory leak appears. This problem became well-known when the problematic JS scan rule was added to the OpenAPI add-on in a recent update, increasing the amount of resources used in automated testing pipelines.

The fundamental cause of the vulnerability is ZAP's JavaScript engine's ineffective memory management, which may be related to lengthy script executions or improper garbage collection in scan rules. A memory leak in the JavaScript engine has come to our attention. that has likely existed for a while, but the openapi add-on's new js scan rule will now have an impact on anyone utilizing the active scan.

We are urgently working on a solution. — January 28, 2026, Zed Attack Proxy (@zaproxy) Active scans ZAP’s hallmark feature for probing web apps via automated attacks like SQL injection and XSS trigger the leak when processing OpenAPI specifications with embedded JavaScript logic.

Among the effects are: stops vulnerability discovery during scanning sessions by crashing or hanging. increased resource consumption on scanning hosts, which could put CI/CD environments' infrastructure at greater risk. Security evaluations for DevSecOps teams utilizing ZAP in standalone or Docker deployments are delayed.

The vulnerability weakens ZAP's dependability as a security tool and may cause patch identification in production-like environments to be delayed, but it does not expose scanned applications to exploits. Updates on Mitigation and Release The OpenAPI add-on has been patched to automatically disable the offending JS scan rule in order to reduce immediate risks. This workaround requires users to update to the most recent version. Along with updated Docker images for weekly and live channels, the fix is now available in nightly and weekly ZAP releases.

Nightly Updated Release Type Status Update Advice Pull the most recent version for testing Updated Every Week Suggested for production scans Docker (Live/Weekly) Revised Rebuild containers as soon as possible Pending Stability Check for underlying fixes. Developers should re-enable the rule only post-root fix and use Zaproxy to confirm installations. A long-term fix for the JavaScript engine leak is ZAP maintainers' top priority, and further commits are anticipated shortly.

This event highlights the difficulties in incorporating dynamic scripting into security tools, as operational vulnerabilities can result from performance flaws.

Learn more about software development Consulting services for cybersecurity Tools for digital forensics Network of Zero Trust Obtain solutions Training in security awareness VPN services Tools for remote access Services for penetration testing Features of the security author Software for detecting malware It is recommended that security experts keep an eye on ZAP's GitHub repository and announcements regarding the stable release. Alternative tools like Burp Suite or fallback to passive scans could fill in the gaps in the interim. Recently he Zed Attack Proxy (ZAP) team has released the OWASP PTK add-on, version 0.2.0 alpha, integrating the OWASP Penetration Testing Kit (PTK) browser extension directly into ZAP-launched browsers., LinkedIn, and X for daily cybersecurity updates.

Contact us to feature your stories.