Play Framework Security Advisory

Improper Vary header handling in CORS filter


5 Oct 2017


Play’s CORS filter will overwrite the Vary header in certain configurations, which in some circumstances can cause cache poisoning. This could expose sensitive information to unauthorized users.


When the CORS filter is used to match against a specific set of origins (as opposed to allowing any origin), it adds the Vary: Origin header in the response. In doing so it also overwrites any existing values for the Vary header, making the application vulnerable to cache poisoning.

This only impacts applications that set Vary headers in actions filtered by the CORS filter.

Affected Versions


Disable the CORS filter (if it is not needed) or disable caching completely (Cache-Control: no-cache) for any pages that depend on additional headers being added to Vary.


This issue is fixed in Play 2.6.6 and Play 2.5.18.