Play Framework CSRF Bypass

[James Roper]

A vulnerability has been found in Play's CSRF support when the victim is using recent versions of Chrome.  The Chrome Beacon extension allows bypass of CSRF checks under certain situations.

The vulnerability has been fixed in Play 2.5.0, and work arounds have been published for other Play versions.

For details on this vulnerability, including the workarounds, please see the vulnerability advisory on the Play website:

https://www.playframework.com/security/vulnerability/20160304-CsrfBypass

Regards,

--

James Roper
Software Engineer

Lightbend – Build reactive apps!
Twitter: @jroper