Receiving security advisories
The best way to receive any and all security announcements is to subscribe to the Play security list.
The mailing list is very low traffic, and receives notifications only after Security reports have been managed by the core team and fixes are publicly available.
Reporting vulnerabilities
We strongly encourage people to report such problems to our private security mailing list first, before disclosing them in a public forum.
All security bugs in Play should be reported by email to [email protected]. This list is delivered to a subset of the core team who handle security issues.
Play 2.8.x
Fixed in Play 2.8.16
- CVE-2022-31018 - Denial of service when binding forms from JSON
- CVE-2022-31023 - Dev error stack trace leaking into prod
Fixed in Play 2.8.5
- CVE-2020-28923-ImproperRemovalofSensitiveInformationBeforeStorageorTransfer - Improper Removal of Sensitive Information Before Storage or Transfer
Fixed in Play 2.8.3
- CVE-2020-26882-JsonParseDataAmplification - JSON parse Data Amplification
- CVE-2020-26883-JsonParseUncontrolledRecursion - JSON parse Uncontrolled Recursion
- CVE-2020-27196-DosViaJsonStackOverflow - DoS via JSON parse Stack Overflow
Fixed in Play 2.8.2
CVE-2020-12480-CsrfBlacklistBypass - Play CSRF Filter Content-Type black list bypass
Play 2.7.x
Fixed in Play 2.7.6
- CVE-2020-26882-JsonParseDataAmplification - JSON parse Data Amplification
- CVE-2020-26883-JsonParseUncontrolledRecursion - JSON parse Uncontrolled Recursion
- CVE-2020-27196-DosViaJsonStackOverflow - DoS via JSON parse Stack Overflow
Fixed in Play 2.7.5
CVE-2020-12480-CsrfBlacklistBypass - Play CSRF Filter Content-Type black list bypass
Play 2.6.x
Fixed in Play 2.6.24
CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders - Play-WS sending HTTP CONNECT including authorizing headers to target host
Fixed in Play 2.6.16
CVE-2018-13864-PathTraversal - Path traversal in Assets controller
Fixed in Play 2.6.6
20171005-CorsVaryHeader - improper Vary header handling in CORS filter
Fixed in Play 2.6.5
20170828-InvalidUriParsing - AsyncHttpClient and Play WS URI parsing vulnerability
Play 2.5.x
Fixed in Play 2.5.18
20171005-CorsVaryHeader - improper Vary header handling in CORS filter
Fixed in Play 2.5.14
20170407-LogbackDeser - Java Deserialization vulnerability in Logback SocketAppender
Fixed in Play 2.5.11
20170120-WSOAuthDoS - WS OAuth Denial of Service
Play 2.4.x
Fixed in Play 2.5.0
20160304-CsrfBypass - CSRF Bypass
Fixed in Play 2.4.8
20160622-JavaScriptRouterXSS - JavaScript router XSS
Play 2.3.x
Fixed in Play 2.3.9
CVE-2015-2156-HttpOnlyBypass - Http only cookie bypass
Fixed in Play 2.3.5
CVE-2014-3630-XmlExternalEntity - XML external entity vulnerability
Play 2.2.x
Fixed in Play 2.2.6
CVE-2014-3630-XmlExternalEntity - XML external entity vulnerability
Play 2.1.x
Fixed in Play 2.1.5
20130920-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.1.4
20130911-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.1.3
20130806-SessionInjection - Session injection vulnerability
Play 2.0.x
Fixed in Play 2.0.8
20130920-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.0.7
20130911-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.0.6
20130806-SessionInjection - Session injection vulnerability
Play 1.4.x
Fixed in Play 1.4.2
20160301-XssSecureModule - XSS vulnerability in the Secure module login page
Fixed in Play 1.4.1
20151230-SessionHijack - Session Hijack vulnerability
Play 1.3.x
Fixed in Play 1.3.4
20160301-XssSecureModule - XSS vulnerability in the Secure module login page
Fixed in Play 1.3.3
20151230-SessionHijack - Session Hijack vulnerability
Fixed in Play 1.3.1
20150506-XssUrlParamerter - XSS url parameter vulnerability
Play 1.2.x
Fixed in Play 1.2.7.2
20150506-XssUrlParamerter - XSS url parameter vulnerability
Fixed in Play 2.8.16
- CVE-2022-31018 - Denial of service when binding forms from JSON
- CVE-2022-31023 - Dev error stack trace leaking into prod
Fixed in Play 2.8.5
- CVE-2020-28923-ImproperRemovalofSensitiveInformationBeforeStorageorTransfer - Improper Removal of Sensitive Information Before Storage or Transfer
Fixed in Play 2.8.3
- CVE-2020-26882-JsonParseDataAmplification - JSON parse Data Amplification
- CVE-2020-26883-JsonParseUncontrolledRecursion - JSON parse Uncontrolled Recursion
- CVE-2020-27196-DosViaJsonStackOverflow - DoS via JSON parse Stack Overflow
Fixed in Play 2.8.2
-
CVE-2020-12480-CsrfBlacklistBypass - Play CSRF Filter Content-Type black list bypass
Play 2.7.x
Fixed in Play 2.7.6
- CVE-2020-26882-JsonParseDataAmplification - JSON parse Data Amplification
- CVE-2020-26883-JsonParseUncontrolledRecursion - JSON parse Uncontrolled Recursion
- CVE-2020-27196-DosViaJsonStackOverflow - DoS via JSON parse Stack Overflow
Fixed in Play 2.7.5
CVE-2020-12480-CsrfBlacklistBypass - Play CSRF Filter Content-Type black list bypass
Play 2.6.x
Fixed in Play 2.6.24
CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders - Play-WS sending HTTP CONNECT including authorizing headers to target host
Fixed in Play 2.6.16
CVE-2018-13864-PathTraversal - Path traversal in Assets controller
Fixed in Play 2.6.6
20171005-CorsVaryHeader - improper Vary header handling in CORS filter
Fixed in Play 2.6.5
20170828-InvalidUriParsing - AsyncHttpClient and Play WS URI parsing vulnerability
Play 2.5.x
Fixed in Play 2.5.18
20171005-CorsVaryHeader - improper Vary header handling in CORS filter
Fixed in Play 2.5.14
20170407-LogbackDeser - Java Deserialization vulnerability in Logback SocketAppender
Fixed in Play 2.5.11
20170120-WSOAuthDoS - WS OAuth Denial of Service
Play 2.4.x
Fixed in Play 2.5.0
20160304-CsrfBypass - CSRF Bypass
Fixed in Play 2.4.8
20160622-JavaScriptRouterXSS - JavaScript router XSS
Play 2.3.x
Fixed in Play 2.3.9
CVE-2015-2156-HttpOnlyBypass - Http only cookie bypass
Fixed in Play 2.3.5
CVE-2014-3630-XmlExternalEntity - XML external entity vulnerability
Play 2.2.x
Fixed in Play 2.2.6
CVE-2014-3630-XmlExternalEntity - XML external entity vulnerability
Play 2.1.x
Fixed in Play 2.1.5
20130920-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.1.4
20130911-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.1.3
20130806-SessionInjection - Session injection vulnerability
Play 2.0.x
Fixed in Play 2.0.8
20130920-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.0.7
20130911-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.0.6
20130806-SessionInjection - Session injection vulnerability
Play 1.4.x
Fixed in Play 1.4.2
20160301-XssSecureModule - XSS vulnerability in the Secure module login page
Fixed in Play 1.4.1
20151230-SessionHijack - Session Hijack vulnerability
Play 1.3.x
Fixed in Play 1.3.4
20160301-XssSecureModule - XSS vulnerability in the Secure module login page
Fixed in Play 1.3.3
20151230-SessionHijack - Session Hijack vulnerability
Fixed in Play 1.3.1
20150506-XssUrlParamerter - XSS url parameter vulnerability
Play 1.2.x
Fixed in Play 1.2.7.2
20150506-XssUrlParamerter - XSS url parameter vulnerability
Fixed in Play 2.7.6
- CVE-2020-26882-JsonParseDataAmplification - JSON parse Data Amplification
- CVE-2020-26883-JsonParseUncontrolledRecursion - JSON parse Uncontrolled Recursion
- CVE-2020-27196-DosViaJsonStackOverflow - DoS via JSON parse Stack Overflow
Fixed in Play 2.7.5
-
CVE-2020-12480-CsrfBlacklistBypass - Play CSRF Filter Content-Type black list bypass
Play 2.6.x
Fixed in Play 2.6.24
CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders - Play-WS sending HTTP CONNECT including authorizing headers to target host
Fixed in Play 2.6.16
CVE-2018-13864-PathTraversal - Path traversal in Assets controller
Fixed in Play 2.6.6
20171005-CorsVaryHeader - improper Vary header handling in CORS filter
Fixed in Play 2.6.5
20170828-InvalidUriParsing - AsyncHttpClient and Play WS URI parsing vulnerability
Play 2.5.x
Fixed in Play 2.5.18
20171005-CorsVaryHeader - improper Vary header handling in CORS filter
Fixed in Play 2.5.14
20170407-LogbackDeser - Java Deserialization vulnerability in Logback SocketAppender
Fixed in Play 2.5.11
20170120-WSOAuthDoS - WS OAuth Denial of Service
Play 2.4.x
Fixed in Play 2.5.0
20160304-CsrfBypass - CSRF Bypass
Fixed in Play 2.4.8
20160622-JavaScriptRouterXSS - JavaScript router XSS
Play 2.3.x
Fixed in Play 2.3.9
CVE-2015-2156-HttpOnlyBypass - Http only cookie bypass
Fixed in Play 2.3.5
CVE-2014-3630-XmlExternalEntity - XML external entity vulnerability
Play 2.2.x
Fixed in Play 2.2.6
CVE-2014-3630-XmlExternalEntity - XML external entity vulnerability
Play 2.1.x
Fixed in Play 2.1.5
20130920-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.1.4
20130911-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.1.3
20130806-SessionInjection - Session injection vulnerability
Play 2.0.x
Fixed in Play 2.0.8
20130920-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.0.7
20130911-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.0.6
20130806-SessionInjection - Session injection vulnerability
Play 1.4.x
Fixed in Play 1.4.2
20160301-XssSecureModule - XSS vulnerability in the Secure module login page
Fixed in Play 1.4.1
20151230-SessionHijack - Session Hijack vulnerability
Play 1.3.x
Fixed in Play 1.3.4
20160301-XssSecureModule - XSS vulnerability in the Secure module login page
Fixed in Play 1.3.3
20151230-SessionHijack - Session Hijack vulnerability
Fixed in Play 1.3.1
20150506-XssUrlParamerter - XSS url parameter vulnerability
Play 1.2.x
Fixed in Play 1.2.7.2
20150506-XssUrlParamerter - XSS url parameter vulnerability
Fixed in Play 2.6.24
-
CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders - Play-WS sending HTTP CONNECT including authorizing headers to target host
Fixed in Play 2.6.16
-
CVE-2018-13864-PathTraversal - Path traversal in Assets controller
Fixed in Play 2.6.6
-
20171005-CorsVaryHeader - improper Vary header handling in CORS filter
Fixed in Play 2.6.5
-
20170828-InvalidUriParsing - AsyncHttpClient and Play WS URI parsing vulnerability
Play 2.5.x
Fixed in Play 2.5.18
-
20171005-CorsVaryHeader - improper Vary header handling in CORS filter
Fixed in Play 2.5.14
-
20170407-LogbackDeser - Java Deserialization vulnerability in Logback SocketAppender
Fixed in Play 2.5.11
-
20170120-WSOAuthDoS - WS OAuth Denial of Service
Play 2.4.x
Fixed in Play 2.5.0
-
20160304-CsrfBypass - CSRF Bypass
Fixed in Play 2.4.8
-
20160622-JavaScriptRouterXSS - JavaScript router XSS
Play 2.3.x
Fixed in Play 2.3.9
-
CVE-2015-2156-HttpOnlyBypass - Http only cookie bypass
Fixed in Play 2.3.5
-
CVE-2014-3630-XmlExternalEntity - XML external entity vulnerability
Play 2.2.x
Fixed in Play 2.2.6
-
CVE-2014-3630-XmlExternalEntity - XML external entity vulnerability
Play 2.1.x
Fixed in Play 2.1.5
-
20130920-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.1.4
-
20130911-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.1.3
-
20130806-SessionInjection - Session injection vulnerability
Play 2.0.x
Fixed in Play 2.0.8
-
20130920-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.0.7
-
20130911-XmlExternalEntity - XML external entity vulnerability
Fixed in Play 2.0.6
-
20130806-SessionInjection - Session injection vulnerability
Play 1.4.x
Fixed in Play 1.4.2
-
20160301-XssSecureModule - XSS vulnerability in the Secure module login page
Fixed in Play 1.4.1
-
20151230-SessionHijack - Session Hijack vulnerability
Play 1.3.x
Fixed in Play 1.3.4
-
20160301-XssSecureModule - XSS vulnerability in the Secure module login page
Fixed in Play 1.3.3
-
20151230-SessionHijack - Session Hijack vulnerability
Fixed in Play 1.3.1
-
20150506-XssUrlParamerter - XSS url parameter vulnerability
Play 1.2.x
Fixed in Play 1.2.7.2
-
20150506-XssUrlParamerter - XSS url parameter vulnerability