Play Framework Security Advisory

WS invalid URI parsing


28 Aug 2017


A low-severity vulnerability has been found in the URI parsing of AsyncHttpClient, which is used by the Play WS client and by the play-ws-standalone library.

This library causes the WS API to improperly parse the URI’s authority component if it is followed by #. For example, passing will actually make a request to

The AsyncHttpClient issue is also described in AsyncHttpClient issue 1455


If users are allowed to pass arbitrary URI strings, this vulnerability could be used to circumvent whitelists or blacklists of host names. An RFC-compliant parser would correctly parse Note that this issue does not affect URIs like, with the slash at the beginning of the path.

Affected Versions


Parse the URI using a compliant parser like If the path is empty, replace the empty path with a single slash.


Upgrade to play-ws-standalone 1.0.7, or, if using Play 2.5.x, upgrade to async-http-client 2.0.35. The issue has not been fixed in the AsyncHttpClient used by Play 2.4.x and earlier.

The correct version will automatically be provided in Play 2.6.4 and higher, and Play 2.5.17 and higher.


Credit for finding this vulnerability in AsyncHttpClient goes to Nicolas Grégoire from Agarri.