CVE-2022-31023: CWE-209: Generation of Error Message Containing Sensitive Information in playframework playframework
Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play's `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.
AI Analysis
Technical Summary
CVE-2022-31023 is a vulnerability in Play Framework, a popular web framework for Java and Scala applications. Versions prior to 2.8.16 are affected. The vulnerability arises from the way Play Framework handles error messages in production environments. Specifically, the framework's DefaultHttpErrorHandler is configured to show verbose error messages, including detailed exception stack traces, when running in development mode to facilitate debugging. However, a static object DefaultHttpErrorHandler is also provided in the Scala API, which is configured to always show verbose errors regardless of the application mode. This static object is used as a default value in certain APIs, such as the constructors for CORSFilter and the apply method for CORSActionBuilder. If this static object is inadvertently used in production, or if the DefaultHttpErrorHandler instance is improperly configured as the injected error handler, verbose error messages containing sensitive information may be exposed to end users. Such information could include internal application details, stack traces, or other data that could aid an attacker in reconnaissance or exploitation. The issue was addressed in Play Framework version 2.8.16 by changing the DefaultHttpErrorHandler object to use production-mode behavior by default and introducing a separate DevHttpErrorHandler for development mode. A workaround involves explicitly passing a properly configured HttpErrorHandler instance (typically obtained via dependency injection or Play's BuiltInComponents) when constructing CORSFilter or CORSActionBuilder, ensuring that the static DefaultHttpErrorHandler object is not used in production code. No known exploits have been reported in the wild, and no CVSS score is assigned to this vulnerability. The underlying weakness corresponds to CWE-209, which concerns the generation of error messages containing sensitive information.
Potential Impact
For European organizations using Play Framework versions prior to 2.8.16 in production environments, this vulnerability could lead to inadvertent disclosure of sensitive internal application information through verbose error messages. Such disclosures can facilitate attackers' understanding of the application architecture, logic flaws, or configuration details, potentially enabling further targeted attacks such as injection, privilege escalation, or data exfiltration. While the vulnerability does not directly allow remote code execution or data modification, the information leakage compromises confidentiality and could indirectly impact integrity and availability if leveraged in multi-stage attacks. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) may face regulatory and reputational risks if sensitive information is exposed. The impact is heightened in environments where error handling is not carefully audited or where default configurations are used without customization. Since the vulnerability requires the application to be running in production with improper error handler configuration, the ease of exploitation depends on developer oversight and deployment practices. The scope is limited to applications built on affected Play Framework versions and misconfigured error handling, but given Play Framework's popularity in Europe, the potential exposure is non-negligible.
Mitigation Recommendations
1. Upgrade all Play Framework instances to version 2.8.16 or later, where the vulnerability is patched. 2. Audit all production applications to ensure that the static DefaultHttpErrorHandler object is not used; instead, error handlers should be injected properly using Play's dependency injection mechanisms or BuiltInComponents. 3. When constructing CORSFilter or CORSActionBuilder components, explicitly pass a correctly configured HttpErrorHandler instance rather than relying on default static objects. 4. Review application configurations to verify that verbose error reporting is disabled in production environments, ensuring that only generic error messages are shown to end users. 5. Implement logging and monitoring to detect any unusual error message disclosures or attempts to trigger verbose errors. 6. Conduct developer training to raise awareness about proper error handling practices in Play Framework applications. 7. For legacy applications where upgrading is not immediately feasible, apply the recommended workaround by explicitly configuring error handlers and restricting access to error pages. 8. Perform regular security code reviews focusing on error handling and information disclosure risks. These steps go beyond generic advice by focusing on specific Play Framework components (CORSFilter, CORSActionBuilder) and configuration practices that are the root cause of the vulnerability.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland, Belgium, Finland
CVE-2022-31023: CWE-209: Generation of Error Message Containing Sensitive Information in playframework playframework
Description
Play Framework is a web framework for Java and Scala. Verions prior to 2.8.16 are vulnerable to generation of error messages containing sensitive information. Play Framework, when run in dev mode, shows verbose errors for easy debugging, including an exception stack trace. Play does this by configuring its `DefaultHttpErrorHandler` to do so based on the application mode. In its Scala API Play also provides a static object `DefaultHttpErrorHandler` that is configured to always show verbose errors. This is used as a default value in some Play APIs, so it is possible to inadvertently use this version in production. It is also possible to improperly configure the `DefaultHttpErrorHandler` object instance as the injected error handler. Both of these situations could result in verbose errors displaying to users in a production application, which could expose sensitive information from the application. In particular, the constructor for `CORSFilter` and `apply` method for `CORSActionBuilder` use the static object `DefaultHttpErrorHandler` as a default value. This is patched in Play Framework 2.8.16. The `DefaultHttpErrorHandler` object has been changed to use the prod-mode behavior, and `DevHttpErrorHandler` has been introduced for the dev-mode behavior. A workaround is available. When constructing a `CORSFilter` or `CORSActionBuilder`, ensure that a properly-configured error handler is passed. Generally this should be done by using the `HttpErrorHandler` instance provided through dependency injection or through Play's `BuiltInComponents`. Ensure that the application is not using the `DefaultHttpErrorHandler` static object in any code that may be run in production.
AI-Powered Analysis
Technical Analysis
CVE-2022-31023 is a vulnerability in Play Framework, a popular web framework for Java and Scala applications. Versions prior to 2.8.16 are affected. The vulnerability arises from the way Play Framework handles error messages in production environments. Specifically, the framework's DefaultHttpErrorHandler is configured to show verbose error messages, including detailed exception stack traces, when running in development mode to facilitate debugging. However, a static object DefaultHttpErrorHandler is also provided in the Scala API, which is configured to always show verbose errors regardless of the application mode. This static object is used as a default value in certain APIs, such as the constructors for CORSFilter and the apply method for CORSActionBuilder. If this static object is inadvertently used in production, or if the DefaultHttpErrorHandler instance is improperly configured as the injected error handler, verbose error messages containing sensitive information may be exposed to end users. Such information could include internal application details, stack traces, or other data that could aid an attacker in reconnaissance or exploitation. The issue was addressed in Play Framework version 2.8.16 by changing the DefaultHttpErrorHandler object to use production-mode behavior by default and introducing a separate DevHttpErrorHandler for development mode. A workaround involves explicitly passing a properly configured HttpErrorHandler instance (typically obtained via dependency injection or Play's BuiltInComponents) when constructing CORSFilter or CORSActionBuilder, ensuring that the static DefaultHttpErrorHandler object is not used in production code. No known exploits have been reported in the wild, and no CVSS score is assigned to this vulnerability. The underlying weakness corresponds to CWE-209, which concerns the generation of error messages containing sensitive information.
Potential Impact
For European organizations using Play Framework versions prior to 2.8.16 in production environments, this vulnerability could lead to inadvertent disclosure of sensitive internal application information through verbose error messages. Such disclosures can facilitate attackers' understanding of the application architecture, logic flaws, or configuration details, potentially enabling further targeted attacks such as injection, privilege escalation, or data exfiltration. While the vulnerability does not directly allow remote code execution or data modification, the information leakage compromises confidentiality and could indirectly impact integrity and availability if leveraged in multi-stage attacks. Organizations in sectors with stringent data protection requirements (e.g., finance, healthcare, government) may face regulatory and reputational risks if sensitive information is exposed. The impact is heightened in environments where error handling is not carefully audited or where default configurations are used without customization. Since the vulnerability requires the application to be running in production with improper error handler configuration, the ease of exploitation depends on developer oversight and deployment practices. The scope is limited to applications built on affected Play Framework versions and misconfigured error handling, but given Play Framework's popularity in Europe, the potential exposure is non-negligible.
Mitigation Recommendations
1. Upgrade all Play Framework instances to version 2.8.16 or later, where the vulnerability is patched. 2. Audit all production applications to ensure that the static DefaultHttpErrorHandler object is not used; instead, error handlers should be injected properly using Play's dependency injection mechanisms or BuiltInComponents. 3. When constructing CORSFilter or CORSActionBuilder components, explicitly pass a correctly configured HttpErrorHandler instance rather than relying on default static objects. 4. Review application configurations to verify that verbose error reporting is disabled in production environments, ensuring that only generic error messages are shown to end users. 5. Implement logging and monitoring to detect any unusual error message disclosures or attempts to trigger verbose errors. 6. Conduct developer training to raise awareness about proper error handling practices in Play Framework applications. 7. For legacy applications where upgrading is not immediately feasible, apply the recommended workaround by explicitly configuring error handlers and restricting access to error pages. 8. Perform regular security code reviews focusing on error handling and information disclosure risks. These steps go beyond generic advice by focusing on specific Play Framework components (CORSFilter, CORSActionBuilder) and configuration practices that are the root cause of the vulnerability.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-05-18T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9843c4522896dcbf30d3
Added to database: 5/21/2025, 9:09:23 AM
Last enriched: 6/23/2025, 7:36:12 AM
Last updated: 7/28/2025, 3:26:41 PM
Views: 10
Related Threats
CVE-2025-8926: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-43986: n/a
UnknownCVE-2025-43982: n/a
CriticalCVE-2025-8925: SQL Injection in itsourcecode Sports Management System
MediumCVE-2025-8924: SQL Injection in Campcodes Online Water Billing System
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.