#1226 [2.10.x] Avoid running out of memory when parsing heavily nested arrays or objects by @mkurz
We now limit the maximum allowed nesting depth of JSON structures (arrays, objects, or a mix of both) to 1000.
This limit can be adjusted using the system property play.json.parser.maxNestingDepth.
We assume a depth of 1000 should be more than sufficient for virtually all real-world use cases.
This change helps prevent both potential OutOfMemoryErrors and StackOverflowErrors.
The latter, however, is not a concern for Play JSON, since it already uses a @tailrec-optimized parsing method.
As a result, Play JSON is not affected by CVE-2025-52999, which specifically addresses StackOverflowError risks.
This improvement is simply an additional safety measure.
Changes
#1232 [2.10.x] Patch updates by @mkurz
#1230 [2.10.x] Fix flaky tests (backport #1229) by @mkurz by @mergify[bot]
#1226 [2.10.x] Avoid running out of memory when parsing heavily nested arrays or objects by @mkurz
#1223 [2.10.x] sbt-jmh 0.4.8 (was 0.4.7) by @scala-steward
#1218 [2.10.x] sbt-header 5.11.0 (was 5.10.0) by @scala-steward
#1214 [2.10.x] Patch updates by @mkurz
#1209 [2.10.x] Bump actions/checkout from 4 to 5 by @dependabot[bot]
#1200 [2.10.x] Patch updates by @mkurz
#1197 [2.10.x] Remove frequency from scala steward conf (backport #1143) by @mkurz by @mergify[bot]
#1194 [2.10.x] Patch updates by @mkurz
#1164 [2.10.x] sbt-ci-release 1.11.1 (was 1.9.3) by @scala-steward
#1165 [2.10.x] sbt, scripted-plugin 1.11.2 (was 1.10.11) by @scala-steward
:heart: Thanks to our premium sponsors!
If you find this OSS project useful for work, please consider asking your company to support it by becoming a sponsor.
You can also individually sponsor the project by becoming a backer.
:bow: Thanks to our contributors
Finally, thanks to the community for their help with detailed bug reports, discussions about new features and pull request reviews. This project is only possible due to the help we had from amazing contributors.
Special thanks to all code contributors who helped with this particular release (they are listed below)!
