GHSA-v8x6-59g4-5g3w
HIGHDenial of service binding form from JSON in Play Framework
EPSS Exploitation Probability
EPSS (Exploit Prediction Scoring System) is a daily probability model maintained by FIRST.org. It estimates the likelihood a CVE will be exploited in production environments within the next 30 days, derived from real-world threat intelligence signals.
Blast Radius
com.typesafe.play:play_2.13☕com.typesafe.play:play_2.12Real-time download stats are indexed for npm and PyPI packages. This vulnerability affects Maven packages — download data is not available via public APIs for these ecosystems.
Description
Impact
A denial-of-service vulnerability has been discovered in Play's forms library, in both the Scala and Java APIs. This can occur when using either the Form#bindFromRequest method on a JSON request body or the Form#bind method directly on a JSON value. If the JSON data being bound to the form contains a deeply-nested JSON object or array, the form binding implementation may consume all available heap space and cause an OutOfMemoryError. If executing on the default dispatcher and akka.jvm-exit-on-fatal-error is enabled—as it is by default—then this can crash the application process.
Form.bindFromRequest is vulnerable when using any body parser that produces a type of AnyContent or JsValue in Scala, or one that can produce a JsonNode in Java. This includes Play's default body parser.
Patches
This vulnerability been patched in version 2.8.16. There is now a global limit on the depth of a JSON object that can be parsed, which can be configured by the user if necessary.
Workarounds
Applications that do not need to parse a request body of type application/json can switch from the default body parser to another body parser that supports only the specific type of body they expect; for example, the formUrlEncoded body parser can be used if the Play action only needs to accept application/x-www-form-urlencoded.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| ☕Maven | com.typesafe.play:play_2.13 | ≥ 2.8.3&&< 2.8.16 | 2.8.16 |
| ☕Maven | com.typesafe.play:play_2.12 | ≥ 2.8.3&&< 2.8.16 | 2.8.16 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for com.typesafe.play:play_2.13. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update com.typesafe.play:play_2.13 to 2.8.16 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-v8x6-59g4-5g3w is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-v8x6-59g4-5g3w is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-v8x6-59g4-5g3w. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-v8x6-59g4-5g3w in your dependencies?
O3 detects GHSA-v8x6-59g4-5g3w across Maven dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.