Summary: A recently discovered denial of service (DoS) vulnerability in versions 2.8.3 through 2.8.15 of Play Framework's forms library affects both Java and Scala APIs. The vulnerability stems from issues with the Form#bindFromRequest and Form#bind methods. This can be exploited to consume all available heap space, causing an OutOfMemoryError and potentially crashing the application.

Body

Play Framework is a popular web framework for building Java and Scala web applications. A newly discovered denial of service (DoS) vulnerability has been identified in the forms library of Play Framework, specifically affecting versions 2.8.3 through 2.8.15 for both the Scala and Java APIs.

The vulnerability lies in the implementation of the Form#bindFromRequest method on a JSON request body or the Form#bind method directly on a JSON value. When JSON data bound to a form contains a deeply nested JSON object or array, the form binding implementation may consume all available heap space, resulting in an OutOfMemoryError. If this occurs on the default dispatcher and akka.jvm-exit-on-fatal-error is enabled (which is the default setting), it can crash the application process.

Here's a simple code snippet that demonstrates the vulnerability

import play.api.data._
import play.api.data.Forms._
import play.api.libs.json.Json

val form = Form(
  mapping(
    "Name" -> text,
    "Age" -> number
  )(UserData.apply)(UserData.unapply)
)

val jsonRequest = Json.parse("""{ "Name": "Alice", "Age": 30 }""")
val boundForm = form.bind(jsonRequest)

Form.bindFromRequest is vulnerable when using any body parser that produces a type of AnyContent or JsValue in Scala, or one that can produce a JsonNode in Java. This includes Play's default body parser.

To understand the root of this vulnerability, check out the original references

- Play Framework Security Advisory
- Play Framework Forms Documentation

The Play team has patched the vulnerability in version 2.8.16. In the patch, there is now a global limit on the depth of a JSON object that can be parsed. Users can configure this limit if necessary.

For those who cannot immediately update to the patched version, there is a workaround available. Applications that do not need to parse a request body of type application/json can switch from the default body parser to another body parser that supports only the specific type of body they expect.

In conclusion, users of Play Framework's forms library should update their applications to version 2.8.16 or implement the suggested workaround to mitigate the DoS vulnerability CVE-2022-31018.

Timeline

Published on: 06/02/2022 17:15:00 UTC
Last modified on: 06/13/2022 12:26:00 UTC