Scala Dynamic Unsafe Reflection
Description
Detects unsafe use of Scala reflection APIs that could allow attackers to execute arbitrary code. This vulnerability occurs when user-controlled input is passed to reflection methods in Play Framework applications, potentially leading to remote code execution.
Detection Strategy
• Check if the Play Framework MVC package is imported in the source code
• Search for calls to dangerous reflection methods like ClassLoader.loadClass or Class.forName
• Verify if the reflection method arguments contain dynamic or user-controlled values rather than static strings
• Report a vulnerability when reflection calls use unvalidated input in Play Framework controllers
Vulnerable code example
import play.api.mvc._
class ReflectionController(cc: ControllerComponents) extends AbstractController(cc) {
def vulnReflection = Action { request =>
val className = request.getQueryString("class").getOrElse("")
val loadedClass = Class.forName(className) // Vulnerable: allows loading arbitrary classes specified by user input
Ok("Class loaded: " + loadedClass.getName)
}...✅ Secure code example
import play.api.mvc._
class ReflectionController(cc: ControllerComponents) extends AbstractController(cc) {
// Define allowed classes in a whitelist
private val allowedClasses = Map(
"user" -> "com.example.User",
"product" -> "com.example.Product",
"order" -> "com.example.Order"...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.