BrowserMob Proxy hasn't been updated since 2017, ships a vulnerable Log4j version (CVE-2021-44228), and has hundreds of unresolved issues. har-capture-proxy is a drop-in Rust replacement with full BMP API compatibility.
BrowserMob Proxy was an excellent tool in its time. But it has been effectively abandoned for years, and using it today introduces real security and reliability risks.
The last officially published release, still shown on the BMP website.
A Git tag was created, and the artifact was pushed to Maven Central, but no GitHub release was published. This was the last meaningful activity on the repository.
The most severe Java vulnerability in a decade. BMP's bundled Log4j 2.9.0 is directly affected. No response from maintainers.
PR #891 updated Log4j to 2.17.1. As of 2025, it remains open with no maintainer review.
Hundreds of open issues and pull requests. No maintainer activity. The project is effectively dead.
These are documented, reproducible problems that affect current users and will never be fixed in BMP.
BMP bundles Log4j 2.9.0, which is vulnerable to Log4Shell. This allows an attacker to execute arbitrary code on the machine running BMP by sending a crafted string that gets logged. CVSS score: 10.0. No official fix has been released.
Widespread SSLHandshakeException errors (#656, #439) including unknown_ca, certificate_unknown, and unrecognized_name errors. Workarounds exist but are fragile and browser-specific.
HTTPS interception fails on Android devices with certificate_unknown errors (#828), even after installing CA certificates. No fix available.
BMP's self-signed MITM certificates cause Chrome to skip caching for static resources (#703), leading to slower page loads and inaccurate performance metrics in HAR files.
BMP requires a full JVM with ~200 MB baseline memory and 2–5 second cold start times. In CI environments running parallel test suites, this overhead is significant.
Beyond Log4j, BMP's entire dependency tree (Netty, LittleProxy, Guava, Jackson, etc.) is frozen at 2017-era versions with their own accumulated CVEs and compatibility issues.
A direct comparison across the dimensions that matter for test infrastructure.
| Dimension | BrowserMob Proxy | har-capture-proxy |
|---|---|---|
| Last release | 2017 (2.1.5) | Actively maintained |
| Security vulnerabilities | Log4j 2.9.0 — CVE-2021-44228 (CVSS 10.0) | No known CVEs; no Log4j; memory-safe Rust |
| Language / Runtime | Java (requires JVM 8+) | Rust (single static binary, no runtime) |
| Binary size | ~50 MB (JVM + JAR) | ~5 MB |
| Startup time | 2–5 seconds | <10 ms |
| Memory (idle) | ~200 MB (JVM baseline) | ~3 MB |
| TLS implementation | Java SSLEngine (frequent handshake issues) | rustls (memory-safe, modern TLS) |
| Certificate generation | Hardcoded impersonation cert (caching issues) | Auto-generated CA with per-host certs (rcgen) |
| BMP REST API | 25+ endpoints | 25+ endpoints (full compatibility) |
| HAR 1.2 capture | Yes | Yes |
| JSON mutations (JSONPath) | Not available | Yes — replace, multiply, add, regex, faker |
| HTML transforms (CSS selectors) | Not available | Yes — streaming via lol_html |
| Sandboxed JS transforms | Accepts but does not execute | Yes — secure V8 isolate |
| Fake data generation | Not available | Names, emails, phones, addresses (seeded) |
| Concurrency model | Thread pool (Netty) | Async (Tokio) — thousands of connections |
| Open issues (GitHub) | ~200+ unresolved | Actively triaged |
Three steps. No code changes required for standard BMP API usage.
Remove the BMP JAR and JVM dependency. Download the single har-capture-proxy binary for your platform from GitHub Releases. Same --port flag, same REST API.
Install the auto-generated CA cert from ~/.har-capture-proxy/har-capture-proxy-ca.pem into your browser or test framework trust store. For Selenium, pass the cert path to your WebDriver options.
All 25+ BMP REST endpoints are compatible. Your existing Selenium, Playwright, or HTTP client code works without changes. The proxy session ports, HAR capture, headers, filtering — everything maps 1:1.
# Download (macOS Apple Silicon example)
curl -L https://github.com/jaygen/har-capture-proxy/releases/latest/download/har-capture-proxy-aarch64-apple-darwin \
-o har-capture-proxy && chmod +x har-capture-proxy
# Start the control API (same port as your BMP setup)
./har-capture-proxy --port 8080
# Create a proxy session — same API as BMP
curl -X POST http://localhost:8080/proxy
# {"port": 8081}
# Start HAR capture — same API as BMP
curl -X PUT http://localhost:8080/proxy/8081/har
# ... run your Selenium tests pointing to localhost:8081 ...
# Retrieve HAR — same API as BMP
curl http://localhost:8080/proxy/8081/har -o capture.harNo. BrowserMob Proxy's last official release (2.1.4) was in December 2016, and the last tagged version (2.1.5) was in September 2017. The repository at lightbody/browsermob-proxy has hundreds of open issues and unmerged pull requests — including a critical Log4j security patch submitted in January 2022 that has never been reviewed. The project is effectively abandoned.
Yes. BrowserMob Proxy ships with Log4j 2.9.0, which is vulnerable to CVE-2021-44228 (Log4Shell), a critical remote code execution vulnerability rated CVSS 10.0. You can manually override the Log4j dependency in Maven or Gradle, but the project's entire dependency tree is frozen at 2017-era versions, meaning other transitive vulnerabilities also go unpatched.
har-capture-proxy is a modern, drop-in replacement written in Rust. It implements all 25+ BMP REST API endpoints, so your existing Selenium test code works without changes. It starts in under 10 milliseconds, uses ~3 MB of memory, has no JVM dependency, and adds features like JSON mutations, HTML transforms, and sandboxed JavaScript transforms that BMP never had.
Yes. har-capture-proxy exposes the same REST API as BrowserMob Proxy. Any Selenium or Playwright test that uses BMP for HAR capture can switch by replacing the binary and trusting the new CA certificate. See the Selenium & Playwright Guide for detailed examples in Java, Python, Ruby, and JavaScript.
BMP's HTTPS interception relies on Java's SSLEngine and a now-outdated version of LittleProxy. Common failures include SSLHandshakeException: unknown_ca, certificate_unknown on Android, and SNI-related errors that require JVM flags to work around. These bugs have been documented in dozens of GitHub issues but will never be fixed. har-capture-proxy uses rustls for modern, memory-safe TLS and rcgen for automatic per-host certificate generation.
Unlike browser-native approaches (Chrome DevTools Protocol, Playwright's built-in HAR), har-capture-proxy works with any browser and any HTTP client. Unlike mitmproxy (Python), it's a single binary with no runtime dependencies, sub-millisecond startup, and a BMP-compatible REST API that requires zero code changes to adopt. It's purpose-built as a BMP replacement for test automation.
Download the binary, swap it in, and run your existing tests. No code changes needed.