Beny23

**Name of the Vulnerable Software and Affected Versions** Play Framework versions 2.8.3 through 2.8.15 **Description** A denial of service issue has been discovered in Play Framework's forms library, affecting both Scala and Java APIs. This occurs when using the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value, and the JSON data contains a deeply-nested JSON object or array, potentially consuming all available heap space and causing an `OutOfMemoryError`. If executing on the default dispatcher and `akka.jvm-exit-on-fatal-error` is enabled, this can crash the application process. `Form.bindFromRequest` is vulnerable when using any body parser that produces a type of `AnyContent` or `JsValue` in Scala, or one that can produce a `JsonNode` in Java, including Play's default body parser. **Recommendations** For versions 2.8.3 through 2.8.15, update to version 2.8.16, which includes a global limit on the depth of a JSON object that can be parsed, configurable by the user if necessary. As a temporary workaround, consider switching from the default body parser to another body parser that supports only the specific type of body expected, such as the `formUrlEncoded` body parser for `application/x-www-form-urlencoded` requests.