CVE-2020-27196

Name of the Vulnerable Software and Affected Versions Play Framework versions 2.6.0 through 2.8.2

Description An issue was discovered in PlayJava where the body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint causes a StackOverflowError and Denial of Service.

Recommendations For Play Framework versions 2.6.0 through 2.8.2, consider disabling the body parsing of HTTP requests for POST endpoints that do not expect JSON payloads as a temporary workaround until a patch is available. Restrict access to valid POST endpoints to minimize the risk of exploitation. Avoid sending deep JSON structures to valid POST endpoints until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.