Memory usage increase when trying to use javascript passive script
23 views
Skip to first unread message
Patryk Plura
Jan 22, 2026, 12:23:02 PM (yesterday) Jan 22
to ZAP User Group
Hello dear community.
I run zap via .bat file on windows - the latest one 2.17.0 with this java onboard:
openjdk 17.0.17 2025-10-21
OpenJDK Runtime Environment Temurin-17.0.17+10 (build 17.0.17+10)
OpenJDK 64-Bit Server VM Temurin-17.0.17+10 (build 17.0.17+10, mixed mode, sharing)
I've observed the issue with javascript passive scripts:
Normally without any script the memory usage is pretty stable and increase very slowly.
But when I enable the passive script - it increase dramatically fast.
Then when I disable it - memory increase stop and usage is on this level (doesn't drop).
I also doesn't found any issue with zap related to the memory usage, heap allocation or any other like this.
My question is: Can I do anything to stop this memory increase or just report an issue on zap github?
Here is an example of script:
I run zap via .bat file on windows - the latest one 2.17.0 with this java onboard:
openjdk 17.0.17 2025-10-21
OpenJDK Runtime Environment Temurin-17.0.17+10 (build 17.0.17+10)
OpenJDK 64-Bit Server VM Temurin-17.0.17+10 (build 17.0.17+10, mixed mode, sharing)
I've observed the issue with javascript passive scripts:
Normally without any script the memory usage is pretty stable and increase very slowly.
But when I enable the passive script - it increase dramatically fast.
Then when I disable it - memory increase stop and usage is on this level (doesn't drop).
I also doesn't found any issue with zap related to the memory usage, heap allocation or any other like this.
My question is: Can I do anything to stop this memory increase or just report an issue on zap github?
Here is an example of script:
var ScanRuleMetadata = Java.type(
"org.zaproxy.addon.commonlib.scanrules.ScanRuleMetadata"
);
function getMetadata() {
return ScanRuleMetadata.fromYaml(`
id: 100003
name: Cookie Set Without HttpOnly Flag
description: >
A cookie has been set without the HttpOnly flag, which means that the cookie can be accessed by JavaScript.
If a malicious script can be run on this page then the cookie will be accessible and can be transmitted to another site.
If this is a session cookie then session hijacking may be possible.
solution: Ensure that the HttpOnly flag is set for all cookies.
risk: low
confidence: medium
cweId: 0
wascId: 13 # WASC-13: Information Leakage
status: alpha
`);
}
function scan(helper, msg, src) {
return;
}
thc202
Jan 22, 2026, 1:15:05 PM (yesterday) Jan 22
to zaprox...@googlegroups.com
Hi,
Are you talking about memory leaks or just memory usage? Did you try
force the GC?
Best regards.
Are you talking about memory leaks or just memory usage? Did you try
force the GC?
Best regards.
Patryk Plura
3:10 AM (13 hours ago) 3:10 AM
to ZAP User Group
Hi thc,
Thanks for reply.
Yes, I've tried force the GC by API and behavior still the same.
For me it looks like memory leak while anything during scan using Graal.js as stopping using it (disabling all scripts) - everything looks fine.
Without any script zap works fine.
Yes, I've tried force the GC by API and behavior still the same.
For me it looks like memory leak while anything during scan using Graal.js as stopping using it (disabling all scripts) - everything looks fine.
Without any script zap works fine.
Peter Browning
9:58 AM (6 hours ago) 9:58 AM
to ZAP User Group
This has also been my experience using Graal.js scripts in the AF, specifically session management and authentication scripts. Without, the program will stay under 8gb memory. Using the scripts consistently crashes due to OOM at ~32gb memory. None of the scripts do anything memory-intensive. Seems to be a leak somewhere in the script interpreter. I haven't tested with any of the other script languages
Patryk Plura
10:03 AM (6 hours ago) 10:03 AM
to ZAP User Group
So I'm not insane and not alone with this issue.
I've tried groovy and python and those looks stable. Unfortune for me those are unusable as python in old version (2.7) is lacking of features and groove is not well documented to use.
Thanks for confirmation this issue Peter.
I will try to report this as issue on github - Or I can report this issue there?
Sorry, I'm not familiar with zap community and how all those communication channel works.
I've tried groovy and python and those looks stable. Unfortune for me those are unusable as python in old version (2.7) is lacking of features and groove is not well documented to use.
Thanks for confirmation this issue Peter.
I will try to report this as issue on github - Or I can report this issue there?
Sorry, I'm not familiar with zap community and how all those communication channel works.
Reply all
Reply to author
Forward
0 new messages