Lightbend Play Framework 2.5.x Insufficiently Protected Credentials Vulnerability


When WSClient has been configured to use an authenticated proxy server, whilst making outbound HTTPS requests, we see HTTP CONNECT requests being sent from WSClient to the target host.



The information has been provided by Sunny Chotai 

The original article can be found at:


An issue was discovered in Lightbend Play Framework 2.5.x through 2.6.23. When configured to make requests using an authenticated HTTP proxy, play-ws may sometimes, typically under high load, when connecting to a target host using https, expose the proxy credentials to the target host.


Vulnerable Systems:

Lightbend Play Framework 2.5.x through 2.6.23


CVE Information:



Disclosure Timeline:
Published Date:11/5/2019