Release 2.14.0

This is a bug fix and enhancement release.
These release notes do not include all of the changes included in add-ons updated since 2.13.0.

This release was made possible thanks to our Platinum Sponsor, the Software Security Project.

Some of the more significant enhancements include:

Rebranding and Docker Hub Move

ZAP has had some minor rebranding changes as a result of the move to the Software Security Project.

As part of that move the official ZAP Docker images are being published to the Software Security Project Docker Hub Organisation. The OWASP images should continue to work for now but we recommend you change to use the new ones ASAP.

Note that you can also pull the ZAP Docker images from GitHub Container Registry.

Host Header Manipulation

Host headers can now be manipulated in ZAP - we know many of you have been waiting for this for a long time! The Break, Manual Request and Requester dialogs all have a new “Update Host Header” button. This is enabled by default (to keep backwards compatibility) but if you turn this off then you will be able to specify your own host headers which will be sent to the target site.


This release adds a new `-zapit` command line option to perform a quick ‘reconnaissance’ scan of the URL specified. For more details see the ZAPit help page

API File Transfers

You can now upload and download files to and from ZAP via the API. Note that this feature is disabled by default as a security measure. For more details, including how to enable it, see the API help page.

Graal JS Add-on Access

Since Oracle removed removed the Nashorn JavaScript engine from Java 15 anyone using Java 15+ has had to rely on the Graal JS add-on for JavaScript support. Unfortunately due to classloader issues it was not able to access add-on classes, which significantly limited its functionality.

These issues have now been resolved which means that Graal JS is the recommended JavaScript engine to use in ZAP. Note that existing Nashorn scripts may need changes to work with Graal JS.

Postman Support

ZAP can now import Postman collections thanks to the new Postman add-on.


ZAP includes a runtime Software Bill of Materials (SBOM) generated by CycloneDX for both the ZAP core and all of the add-ons maintained by the ZAP team. For more details see the Software Bill of Materials help page.

ZAP API OpenAPI Definition

An OpenAPI definition for the ZAP API is available in the main repository, which can be used to generate custom API clients. This definition is planned to be kept up to date for the latest core and add-on releases.

Note that currently the definition does not declare the most appropriate types for the parameters and does not contain the responses.

ZAP Browser Extensions

The eagle-eyed among you may have noticed that there are now ZAP Firefox and Chrome extensions: These are included in the new Client Side Integration add-on which supports:

This is not (yet) included in the main ZAP releases so you will need to download it from the Marketplace.

Dependency Updates

As usual the release includes dependency updates.

The following libraries were updated:

  • Commons Lang, 3.12.0 → 3.13.0
  • Flatlaf 3.1.1 → 3.2.1
  • RSyntaxTextArea, 3.3.3 → 3.3.4

The following library was added:

  • Log4j JUL Adapter 2.20.0


New Add-Ons

The following add-ons are included by default in this release for the first time:

Updated Add-Ons

All of the add-ons included by default have been updated since the last full release.


  • Issue 1926 : Remove Alerts for defined Context through ZAP API
  • Issue 2189 : Enable/Disable Script Causes Save Prompt on Exit
  • Issue 7607 : Allow to download/upload files through the ZAP API
  • Issue 7951 : Validate API parameter names
  • Issue 7984 : Allow to display script without focusing
  • Issue 7988 : Use short name for home dir in Windows
  • Issue 8012 : Move vulnerability data to Common Library add-on
  • Issue 8033 : Add/use Log4j JUL adapter
  • Issue 8040 : Add prompt text to search input fields
  • Issue 8042 : Find: use focus owner
  • Issue 8043 : Update Download Icon
  • Issue 8050 : Allow to select a script node without focusing
  • Issue 8067 : Allow to disable modification of multiple options
  • Issue 8070 : Prevent concurrent usage of ZAP home
  • Issue 8089 : Break: Allow host header manipulation
  • Issue 8101 : Extend ScanEventPublisher to support params
  • Issue 8109 : Make SBOM zip available via GUI, cmdline and API.
  • Issue 8118 : Record config stats

Bug fixes

  • Issue 7353 : Header `If-None-Match: *` removed for PUT requests
  • Issue 7960 : Graal.js engine might fail to load/access add-on classes
  • Issue 8013 : Use add-on class loader for interface from script
  • Issue 8028 : Set the view to `ExtensionAdaptor` sooner
  • Issue 8055 : Include country name for duplicated languages
  • Issue 8068 : Use the current database body size values
  • Issue 8111 : Raw HTML displayed in options panels for search matches

See Also

Introduction the introduction to ZAP
Releases the full set of releases
Credits the people and groups who have made this release possible