CVE-2020-27196
Description
Play Framework 2.6.0-2.8.2 DoS via stack overflow from deeply nested JSON payloads in PlayJava.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Play Framework 2.6.0-2.8.2 DoS via stack overflow from deeply nested JSON payloads in PlayJava.
Overview
Play Framework versions 2.6.0 through 2.8.2 contain a vulnerability in the HTTP body parsing mechanism. The parser eagerly processes JSON payloads based on the Content-Type header, regardless of whether the endpoint expects JSON. Sending a deeply nested JSON object triggers a StackOverflowError, leading to a denial of service (DoS) [1][3].
Attack
Vector An unauthenticated attacker can exploit this by sending a POST request with a deeply nested JSON structure to any valid endpoint. The attack requires no special privileges and can be launched remotely over the network [1][3].
Impact
Successful exploitation causes a StackOverflowError, crashing the application server and resulting in a denial of service. The vulnerability has a CVSS v3.1 score of 7.0 (High) with the vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H [1][3].
Mitigation
The issue is fixed in Play Framework versions 2.8.3 and 2.7.6. Play 2.6.x has reached end-of-life and will not receive a fix; users are strongly advised to upgrade to a supported version [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.typesafe.play:playMaven | >= 2.6.0, < 2.7.6 | 2.7.6 |
com.typesafe.play:playMaven | >= 2.8.0, < 2.8.3 | 2.8.3 |
com.typesafe.play:play-javaMaven | >= 2.6.0, < 2.7.6 | 2.7.6 |
com.typesafe.play:play-javaMaven | >= 2.8.0, < 2.8.3 | 2.8.3 |
Affected products
3- PlayJava/Play Frameworkdescription
- ghsa-coords2 versions
>= 2.6.0, < 2.7.6+ 1 more
- (no CPE)range: >= 2.6.0, < 2.7.6
- (no CPE)range: >= 2.6.0, < 2.7.6
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
5- github.com/advisories/GHSA-h48w-c35p-6m8xghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-27196ghsaADVISORY
- github.com/playframework/playframework/pull/10321ghsaWEB
- www.playframework.com/security/vulnerabilitymitrex_refsource_MISC
- www.playframework.com/security/vulnerability/CVE-2020-27196-DosViaJsonStackOverflowghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.