Play Framework Security Advisory

JSON parse Uncontrolled Recursion

CVE-ID

CVE-2020-26883

Date

1 October 2020

Description

Carefully crafted JSON payloads sent as a form field lead to Uncontrolled Recursion.

Impact

This only impacts Play applications implemented using the PlayJava flavor.

Affected versions

Fixes

This issue is fixed on Play 2.8.3 and 2.7.6. There won’t be a 2.6.x release with this fix since this version has reached end-of-support, please upgrade as soon as possible to avoid this security issue.

CVSS Metrics (more info)

Overall: 6.7
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C

Acknowledgements

Credit for finding this vulnerability goes to The Gemini Security Team, Doyensec and @lucash-dev.