DoS via JSON parse Stack Overflow

CVE-ID

CVE-2020-27196

Date

1 October 2020

Description

Play body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError.

Impact

This only impacts Play applications implemented using the PlayJava flavor.

Affected versions

• Play 2.8.0-2.8.2
• Play 2.7.0-2.7.5
• Play 2.6.x

Fixes

This issue is fixed on Play 2.8.3 and 2.7.6. There won’t be a 2.6.x release with this fix since this version has reached end-of-support, please upgrade as soon as possible to avoid this security issue.

CVSS Metrics (more info)

Overall: 7.0
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C