high
7.5
CWE
400
Advisory Published
Updated

CVE-2022-31018: Denial of service binding form from JSON in Play Framework

First published: Thu Jun 02 2022(Updated: )

Play Framework is a web framework for Java and Scala. A denial of service vulnerability has been discovered in verions 2.8.3 through 2.8.15 of Play's forms library, in both the Scala and Java APIs. This can occur when using either the `Form#bindFromRequest` method on a JSON request body or the `Form#bind` method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an `OutOfMemoryError`. If executing on the default dispatcher and `akka.jvm-exit-on-fatal-error` is enabled—as it is by default—then this can crash the application process. `Form.bindFromRequest` is vulnerable when using any body parser that produces a type of `AnyContent` or `JsValue` in Scala, or one that can produce a `JsonNode` in Java. This includes Play's default body parser. This vulnerability been patched in version 2.8.16. There is now a global limit on the depth of a JSON object that can be parsed, which can be configured by the user if necessary. As a workaround, applications that do not need to parse a request body of type `application/json` can switch from the default body parser to another body parser that supports only the specific type of body they expect.

Credit: security-advisories@github.com

Affected SoftwareAffected VersionHow to fix
Lightbend Play Framework>=2.8.3<=2.8.15

Remedy

https://github.com/playframework/playframework/pull/11301

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

Reference Links

Frequently Asked Questions

  • What is CVE-2022-31018?

    CVE-2022-31018 is a denial of service vulnerability in versions 2.8.3 through 2.8.15 of Play's forms library in the Play Framework for Java and Scala.

  • What is the severity of CVE-2022-31018?

    The severity of CVE-2022-31018 is high, with a CVSS score of 7.5.

  • How does CVE-2022-31018 affect Play Framework?

    CVE-2022-31018 affects versions 2.8.3 through 2.8.15 of Play's forms library in both the Scala and Java APIs.

  • How can I fix CVE-2022-31018?

    To fix CVE-2022-31018, update Play Framework to version 2.8.16 or higher.

  • Is there any additional information about CVE-2022-31018?

    Yes, you can find additional information about CVE-2022-31018 in the following references: [link1], [link2], [link3].

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2024 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203