CVE-2020-27196

HIGH

Play Framework 2.6.0-2.8.2 - Denial of Service via Deep JSON Structure

Title source: llm
STIX 2.1

Description

An issue was discovered in PlayJava in Play Framework 2.6.0 through 2.8.2. The body parsing of HTTP requests eagerly parses a payload given a Content-Type header. A deep JSON structure sent to a valid POST endpoint (that may or may not expect JSON payloads) causes a StackOverflowError and Denial of Service.

References (2)

Core 2

Scores

CVSS v3 7.5
EPSS 0.0139
EPSS Percentile 69.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-787
Status published
Products (3)
com.typesafe.play/play 2.6.0 - 2.7.6Maven
com.typesafe.play/play-java 2.6.0 - 2.7.6Maven
lightbend/play_framework < 2.6.25
Published Nov 06, 2020
Tracked Since Feb 18, 2026