According to the project, a memory leak in its embedded JavaScript engine has been found This article explores scans zap maintainers. . The leak has probably existed for a while, according to maintainers.

But after a behavior change—a new JavaScript-based scan rule was added to the OpenAPI add-on, which made the engine run more frequently and consistently during active scanning—it began to impact many more users. Because the new OpenAPI rule increases the number of JavaScript evaluations carried out during scan logic, the problem mainly affects users who are running active scans.

Practically speaking, repeated JS execution can cause the ZAP process's heap usage to increase steadily over the course of a scan, which may eventually cause the scanner to slow down, halt the scan's progress, or terminate the process if the JVM runs out of memory. During lengthy scans, users may notice increased garbage collection activity, rising RAM consumption, and failures that seem to be caused by resource exhaustion rather than a single crashing request. Workarounds and hotfix status In order to address the leak caused by active scans, ZAP maintainers have released a hotfix and stated that they are working urgently to find a solution.

Defenders performing time-sensitive scanning jobs can lessen the impact until the fix is implemented by: The project states that in order to guarantee that the patched components load, ZAP and add-ons (including the OpenAPI add-on) should be updated right away. Disabling the OpenAPI add-on or the new JavaScript scan rule in the event that active scans become unstable The hotfix makes sure that active scans can finish without memory-related hiccups, especially when examining applications with a lot of OpenAPI documentation. Splitting large OpenAPI definitions into smaller scan scopes to minimize long-lived JS execution in a single run; increasing the JVM maximum heap size for ZAP to postpone failure while treating this as a stopgap rather than a root-cause fix.

Details of the Component Status Affected Part JavaScript Scripting and rules are handled by the Engine Core engine. Source of Trigger OpenAPI In particular, a recently added JS scan rule Type of Impact Resource Depletion Denial of Service (local) caused by a memory leak Operation Affected Scanning Actively The majority of passive scanning is unaffected. Corrective action Update/Hotfix Use the Marketplace to update the core and add-ons.