play-ws is vulnerable to information disclosure. The vulnerability exists through a regression caused by async-http-client that causes HTTP CONNECT requests set to an outbound HTTPS requests when using an authenticated proxy server.
github.com/AsyncHttpClient/async-http-client/pull/1667
github.com/playframework/play-ws/commit/0007ce58a85d779e0eb5a2fb2b213c9aa928cf7a
github.com/playframework/play-ws/pull/410
www.playframework.com/security/vulnerability
www.playframework.com/security/vulnerability/CVE-2019-17598-PlayWSHttpConnectAuthorizationHeaders