CVE-2022-31018

Name of the Vulnerable Software and Affected Versions Play Framework versions 2.8.3 through 2.8.15

Description A denial of service issue has been discovered in Play Framework's forms library, affecting both Scala and Java APIs. This occurs when using the Form#bindFromRequest method on a JSON request body or the Form#bind method directly on a JSON value, and the JSON data contains a deeply-nested JSON object or array, potentially consuming all available heap space and causing an OutOfMemoryError. If executing on the default dispatcher and akka.jvm-exit-on-fatal-error is enabled, this can crash the application process. Form.bindFromRequest is vulnerable when using any body parser that produces a type of AnyContent or JsValue in Scala, or one that can produce a JsonNode in Java, including Play's default body parser.

Recommendations For versions 2.8.3 through 2.8.15, update to version 2.8.16, which includes a global limit on the depth of a JSON object that can be parsed, configurable by the user if necessary. As a temporary workaround, consider switching from the default body parser to another body parser that supports only the specific type of body expected, such as the formUrlEncoded body parser for application/x-www-form-urlencoded requests.