A vulnerability has been found in Play's CSRF support when the victim is using recent versions of Chrome. The Chrome Beacon extension allows bypass of CSRF checks under certain situations.
The vulnerability has been fixed in Play 2.5.0, and work arounds have been published for other Play versions.
For details on this vulnerability, including the workarounds, please see the vulnerability advisory on the Play website:
Regards,
--
James Roper
Software Engineer