Play Framework Security Advisory

Session Injection


06 Aug 2013


A vulnerability has been found in Play’s session encoding.

An attacker may inject arbitrary data into a session, by tricking Play to place a specially crafted value containing null bytes into the Play session.


Any application that places user input data into Play’s stateless session mechanism may be vulnerable.

Typically, this will impact applications that store the username in the session for authentication purposes, and will allow an attacker to identify themselves as another user.

Affected Versions


Validate that no values being placed into a session contain null bytes.


Upgrade to the appropriate version below:

CVSS metrics (more info)


Credit for finding this vulnerability goes to the National Australia Bank Security Assurance Team.