The ZAP (Zed Assault Proxy) undertaking, a broadly used open-source net software safety scanner, has disclosed a vital reminiscence leak in its JavaScript engine.
This flaw, probably current for a while, now disrupts energetic scanning workflows following the introduction of a brand new JavaScript scan rule within the OpenAPI add-on.
Safety groups counting on ZAP for dynamic software safety testing (DAST) face potential denial-of-service-like circumstances throughout scans.
ZAP maintainers issued the alert on January 28, 2026, emphasizing pressing remediation efforts. The reminiscence leak manifests throughout energetic scans, the place the JavaScript engine fails to correctly deallocate sources, resulting in speedy reminiscence exhaustion.
This problem gained prominence after the OpenAPI add-on’s latest replace included the problematic JS scan rule, amplifying useful resource consumption in automated testing pipelines.
At its core, the vulnerability stems from inefficient reminiscence dealing with inside ZAP’s JavaScript engine, presumably tied to long-running script executions or unhandled rubbish assortment in scan guidelines.
We now have grow to be conscious of a reminiscence leak within the JavaScript engine. That has most likely been there for a while, however will now have an effect on anybody utilizing the energetic scan because of the addition of a brand new JS scan rule within the OpenAPI add-on. We’re engaged on a repair as a matter of urgency.— Zed Assault Proxy (@zaproxy) January 28, 2026
Energetic scans ZAP’s hallmark characteristic for probing net apps by way of automated assaults like SQL injection and XSS set off the leak when processing OpenAPI specs with embedded JavaScript logic.
Impacts embrace:
Crashes or hangs in scanning classes, halting vulnerability discovery.
Elevated useful resource utilization on scanning hosts, risking broader infrastructure pressure in CI/CD environments.
Delayed safety assessments for DevSecOps groups utilizing ZAP in Docker or standalone deployments.
The flaw doesn’t expose scanned purposes to exploits however undermines ZAP’s reliability as a safety software, doubtlessly delaying patch identification in production-like environments.
Mitigation and Launch Updates
To curb fast dangers, the OpenAPI add-on has been patched to disable the offending JS scan rule by default. Customers should replace to the newest model for this workaround. Nightly and weekly ZAP releases at the moment are accessible with the repair, alongside refreshed Docker photos for weekly and stay channels.
Launch TypeStatusUpdate AdviceNightlyUpdatedPull newest for testingWeeklyUpdatedRecommended for manufacturing scansDocker (Weekly/Dwell)UpdatedRebuild containers promptlyStablePendingMonitor for underlying repair
Builders ought to confirm installations by way of zaproxy –model and re-enable the rule solely post-root repair.
ZAP maintainers are prioritizing a everlasting decision to the JavaScript engine leak, with ongoing commits anticipated quickly. This incident underscores the challenges of integrating dynamic scripting in safety instruments, the place efficiency bugs can cascade into operational vulnerabilities.
Safety professionals are suggested to observe ZAP’s GitHub repository and bulletins for the steady launch. Within the interim, fallback to passive scans or various instruments like Burp Suite might bridge gaps.
Not too long ago he Zed Assault Proxy (ZAP) workforce has launched the OWASP PTK add-on, model 0.2.0 alpha, integrating the OWASP Penetration Testing Equipment (PTK) browser extension straight into ZAP-launched browsers.
Comply with us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to characteristic your tales.
