ZAP Project Identifies Memory Leak in JavaScript Engine Affecting Active Scans The OWASP ZAP project has uncovered a memory leak in its embedded JavaScript engine, which maintainers believe has existed for some time but became more widespread following a recent update. The issue surfaced after the introduction of a new JavaScript-based scan rule in the OpenAPI add-on, which increased the frequency and consistency of JavaScript evaluations during active scans. The vulnerability primarily impacts users running active scans, as the OpenAPI rule triggers repeated JavaScript execution, leading to steadily rising heap usage within the ZAP process. Over time, this can degrade scanner performance, stall scan progress, or cause the JVM to terminate due to memory exhaustion. Users may notice escalating RAM consumption, increased garbage-collection activity, and failures resembling resource exhaustion rather than a single crash. ZAP maintainers have released a hotfix to address the leak, prioritizing stability for active scans. Until the fix is applied, users can mitigate the issue by updating ZAP and its add-ons, disabling the problematic JavaScript scan rule or the OpenAPI add-on, increasing the JVM heap size (as a temporary measure), or splitting large OpenAPI definitions into smaller scan scopes. Passive scanning remains largely unaffected. The affected component is the core JavaScript engine, with the OpenAPI add-on’s new scan rule identified as the trigger. The impact is classified as a resource exhaustion issue leading to a local denial-of-service condition. The recommended remediation is to update all components via the ZAP Marketplace.