Juice Shop v20.0.0 — a fresh squeeze of features, now with AI

image

Björn Kimminich

Wednesday, May 13, 2026

Juice Shop v20.0.0 — a fresh squeeze of features, now with AI

After months of work on the develop branch, OWASP Juice Shop v20.0.0 is ready to serve. This is a major version bump packed with new challenges, a redesigned storefront, and a long list of under-the-hood improvements. Read on to learn what’s new in this release.

⚠️ Heads up before you use it: This release contains breaking changes for existing challenges and CTF setups, plus technical changes that may require updates to your customization files. Older solution guides may also need adjustments.

🤖 AI has joined the juice bar

The headline feature of v20.0.0 is a brand-new set of AI-themed challenges, exploring the security pitfalls of LLM-backed features in modern web applications:

  • Chatbot Prompt Injection ⭐⭐ — a gentle introduction to making LLMs spill the juice.
  • Greedy Chatbot Manipulation ⭐⭐⭐ — for hackers who want to coax more out of the model than intended.
  • AI Debugging ⭐⭐ — because even artificial intelligence sometimes needs a human in the loop.

The new AI-powered chatbot in action

These challenges require a configured LLM/AI endpoint to function. To make room for the new LLM-based chatbot, the legacy NLP-based chatbot has been retired, along with the “Bully Chatbot” and “Kill Chatbot” challenges.

🛠️ LLM Setup Details: The LLM setup guide explains the two main options for connecting an LLM:

  • Local Ollama model: The easiest way to run a model entirely on your own machine.
  • Remote OpenAI-compatible server: Use any cloud-based or self-hosted LLM that supports the OpenAI API format.

🛍️ A freshly pressed storefront

The shop itself got a major facelift. The product overview now uses a more compact and modern grid layout, and the Coding Challenge view has been redesigned as its own dedicated page with a more intuitive flow and modern code highlighters.

The new coding challenges UI

Other notable UI improvements:

  • Guest baskets for anonymous shoppers, with a smooth merge-on-login when users finally create an account.
  • Proper mobile scroll behavior across the app.
  • Blur effects and the new grid view extended to the photo wall, plus a generally more polished look across the board.
  • Our brand new neon-fire theme (now the default in the ctf config) will harmonize perfectly with a fancy new feature in the upcoming MultiJuicer v10 release. Stay tuned for more details about this exiting major release very soon!

The new neon-fire theme

The new neon-fire theme

Under the hood, the frontend has been upgraded to Angular 21.x, and Angular Material themes were migrated from the legacy M2 to M3.

⚡ Faster, lighter, snappier

We didn’t just add features — we trimmed the rind too:

  • ~30% faster startup time, thanks to lazy-loading heavy dependencies and batching database inserts at boot.
  • Smaller Docker image — with just over 125MB the container is now the leanest it’s been since Juice Shop v8, more than seven years and many feature additions ago.
  • Heavier pages have been split out for faster initial loads, and certain large textures were converted to .avif for a lighter payload.

Bundle analysis of the Juice Shop frontend

The net effect: noticeably quicker local starts, faster MultiJuicer instance launches, and less bandwidth burned on every deployment.

🛡️ Smarter challenges, smarter cheat detection

Behind the scenes, v20.0.0 also sharpens the rules of the game:

  • Loosely coupled challenges no longer trip cheat detection based purely on timing — a fairer outcome for legitimate solvers.
  • Direct access to tracking pixels is now treated as guaranteed cheating.
  • The “Mint the Honeypot” and “Wallet Depletion” challenges now require an ALCHEMY_API_KEY to function.
  • New Prometheus metrics track LLM token usage and tool calls (when supported by your endpoint).
  • The Internet Traffic challenge tag has been renamed and broadened to External Dependency to better reflect its scope of highlighting prerequisites for LLM and Web3 dependent challenges.

The renamed External Dependency challenge tags

Configuration also gets stricter enum validation for several options like codingChallengesEnabled and hintPlaybackSpeed, helping catch typo-induced surprises in your own yml configs.

🧪 New stock on the shelves and a healthier test kitchen

Restocking time: v20.0.0 ships with 10 new products and a new customer user inspired by a notorious British sitcom character.

The redesigned product grid featuring new juices

On the engineering side, we’ve done a deep clean of our test infrastructure:

  • The API test suite was migrated from Jest & Frisby to the Node.js test runner with Supertest.
  • The frontend test suite moved from Karma to Vitest.
  • Flaky Cypress runs were tamed with force-clicks, and stability fixes landed for the last-login-IP test.
  • New PR compliance and spam-check workflows now keep the repository tidy and protect the project leaders’ mental health.

Comment on a PR closed by out spam detection workflow

And finally, a runtime note: Node.js 20.x is no longer supported. Juice Shop now runs on Node.js 22–25, with 24 as the default.

🍹 Pour yourself a glass

That’s v20.0.0 — a release with something for trainers, CTF organizers, students, and anyone who enjoys breaking things in a safe environment. Grab the new build from the releases page or pull the latest Docker image, and let us know what you think. Happy hacking!

Updated main project logo with more vibrant colors Updated CTF logo variant with more vibrant colors

With this release, we are also officially releasing the first update of our logos in 10 years! The shape and style remain unchanged, but the colors are now noticably more vibrant and “popping”.

Watch Star