Play Framework Security Advisory

XML External Entities




7 Oct 2014

Update 19 Nov 2014: Play 2.2.6 released with fix.


A vulnerability has been found in Play’s Java XML processing.

An attacker may use XML external entities to read files from the file system, internal network, or DoS the application.


Any application that uses the Java play.libs.XML API directly to parse XML from an untrusted source, or uses Plays WS client API to parse XML responses from an untrested server.

Specifically, this vulnerability does not affect Java actions that receive requests that contain XML bodies. It also does not affect any Scala XML processing APIs offered in Play.

Affected Versions


Do not use the play.libs.XML API to parse XML, rather use a DocumentBuilderFactory configured as described by OWASP here.

Do not use the method, rather use the getBody method, and parse it using a securely configured DocumentBuilderFactory.


Upgrade to Play 2.3.5 or Play 2.2.6.

CVSS metrics (more info)


Credit for finding this vulnerability goes to David Jorm of Red Hat Product Security.