Static Code Injection in playframework/play-samples


Reported on

Jan 16th 2022


"play-samples" project uses the vulnerable log4j library (2.17.0). This can cause potential RCE vulnerability on the project. Vulnerability: CVE-2021-44832 (Remote Code Execution). Another reference from Apache for CVE-2021-44832. You should upgrade the log4j library to latest version.

Proof of Concept

You can see the version of the used log4j library from this file:

val log4jVersion = "2.17.0"

lazy val root = (project in file("."))
    name := """play-scala-log4j2-example""",
    version := "1.0-SNAPSHOT",
    scalaVersion := "2.13.6",
    libraryDependencies ++= Seq(
      "org.apache.logging.log4j" % "log4j-slf4j-impl" % log4jVersion,
      "org.apache.logging.log4j" % "log4j-api" % log4jVersion,
      "org.apache.logging.log4j" % "log4j-core" % log4jVersion,
      "" %% "scalatestplus-play" % "5.0.0" % Test,
    scalacOptions ++= Seq(


This vulnerable library can cause Remote Code Execution vulnerability on the "play-samples" project. You should upgrade this library.


We are processing your report and will contact the playframework/play-samples team within 24 hours. a year ago
We created a GitHub Issue asking the maintainers to create a a year ago
We have contacted a member of the playframework/play-samples team and are waiting to hear back a year ago
a year ago


Hi, I think PR will be merged. Can you approve this report?

Matthias Kurz
a year ago


I merged the PR. However the projects in the repo are just example projects, they are not part of the Play Framework source code itself. Some of the projects are outdated AFAIK. So I wouldn't really count that as security vulnerability. Anyway, approving.

Matthias Kurz validated this vulnerability a year ago
oivrip has been awarded the disclosure bounty
The fix bounty is now up for grabs
Matthias Kurz marked this as fixed in commit 974717239220cb75fbba33c27a15d8c70525619c with commit 257d0d a year ago
Matthias Kurz has been awarded the fix bounty
This vulnerability will not receive a CVE
build.sbt#L1 has been validated
to join this conversation