On 6 August, a security vulnerability was announced in the Play! application framework.
Due to incorrect handling of strings containing ASCII null zero character, Play’s session cookies may be modified or forged by malicious users. While the impact varies wildly from app to app, a typical attack would be to impersonate a different user of an application, e.g., an administrator.
Heroku strongly encourages you to update to a patched version of Play:
For Play 1.x applications
Update your app’s conf/dependencies.yml file to Play 1.2.6 and `git push heroku master`.
Additional details are available at https://devcenter.heroku.com/articles/play#declare-dependencies
For Play 2.x applications
Update your app’s project/plugins.sbt to Play 2.0.6 or 2.1.3 and `git push heroku master`. The relevant line should read…
addSbtPlugin(“play” % “sbt-plugin” % “2.0.6”)