GHSA-43W5-MMXV-CPVH

Vulnerability from github – Published: 2026-03-17 16:59 – Updated: 2026-03-31 18:45
VLAI?
Summary
Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices
Details

In JsonBeanPropertyBinder::expandArrayToThreshold in io.micronaut:micronaut-json-core before Micronaut 4 4.10.16 and in Micronaut 3 before 3.10.5 does not correctly handle descending array index order during form-urlencoded body binding, which allows remote attackers to cause a denial of service (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name).

Example

With such an application

package dosform;

import io.micronaut.http.HttpResponse;
import io.micronaut.http.MediaType;
import io.micronaut.http.annotation.Body;
import io.micronaut.http.annotation.Consumes;
import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Get;
import io.micronaut.http.annotation.Post;
import io.micronaut.http.annotation.Produces;

import java.net.URI;

@Controller
class HomeController {

    @Produces(MediaType.TEXT_HTML)
    @Get
    String index() {
        return """
                <!DOCTYPE html>
                <html>
                <head>
                <title></title>
                </head>
                <body>
    <form action="/submit" method="post">
      <label for="firstAuthor">Fist Author</label>
      <input id="firstAuthor" name="authors[0].name" type="text"/>

      <label for="secondAuthor">Second Author</label>
      <input id="secondAuthor" name="authors[1].name" type="text"/>

      <label for="thirdAuthor">Third Author</label>
      <input id="thirdAuthor" name="authors[2].name" type="text"/>

      <button type="submit">Submit</button>
    </form>

                </body>
                </html>
                """;
    }

    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    @Post("/submit")
    HttpResponse<?> submit(@Body Book book) {
        return HttpResponse.seeOther(URI.create("/"));
    }
}
package dosform;

import io.micronaut.core.annotation.Introspected;

import java.util.Objects;

@Introspected
public class Author {
    private String name;
    public String getName() { return name; }
    public void setName(String name) { this.name = name; }

    @Override
    public final boolean equals(Object o) {
        if (!(o instanceof Author)) return false;

        Author author = (Author) o;
        return Objects.equals(name, author.name);
    }

    @Override
    public int hashCode() {
        return Objects.hashCode(name);
    }

    @Override
    public String toString() {
        return "Author{" +
                "name='" + name + '\'' +
                '}';
    }
}
package dosform;

import io.micronaut.core.annotation.Introspected;

import java.util.List;
import java.util.Objects;

@Introspected
public class Book {
    private List<Author> authors;
    public List<Author> getAuthors() { return authors; }
    public void setAuthors(List<Author> authors) { this.authors = authors; }

    @Override
    public final boolean equals(Object o) {
        if (!(o instanceof Book)) return false;

        Book book = (Book) o;
        return Objects.equals(authors, book.authors);
    }

    @Override
    public int hashCode() {
        return Objects.hashCode(authors);
    }

    @Override
    public String toString() {
        return "Book{" +
                "authors=" + authors +
                '}';
    }
}

Sending curl -v -X POST 'http://127.0.0.1:8080/submit' -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'authors[1].name=RobertGalbraith' --data-urlencode 'authors[0].name=JKRowling' causes sustained CPU usage and unbounded memory growth (eventually OutOfMemoryError).

Patches

For Micronaut 4, the problem has been patched in micronaut-core, dependencies with group id io.micronaut, since 4.10.16.

For Micronaut 3, the problem has been patched since 3.10.5

Users upgrade to the latest version of the framework.

Workarounds

There is no way for users to fix or remediate the vulnerability without upgrading.

References

PR Fix: https://github.com/micronaut-projects/micronaut-core/pull/12410

Severity ?
8.2 (High)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-json-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0-M1"
            },
            {
              "fixed": "4.10.16"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-json-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.9.0"
            },
            {
              "fixed": "3.10.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-json-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.8.13"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-33013"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-835"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-17T16:59:59Z",
    "nvd_published_at": "2026-03-20T05:16:15Z",
    "severity": "HIGH"
  },
  "details": "In `JsonBeanPropertyBinder::expandArrayToThreshold` in `io.micronaut:micronaut-json-core` before Micronaut 4 4.10.16 and in Micronaut 3 before 3.10.5 does not correctly handle descending array index order during form-urlencoded body binding, which allows remote attackers to cause a denial of service (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., `authors[1].name` followed by `authors[0].name`).\n\n### Example\n\nWith such an application\n\n```java\npackage dosform;\n\nimport io.micronaut.http.HttpResponse;\nimport io.micronaut.http.MediaType;\nimport io.micronaut.http.annotation.Body;\nimport io.micronaut.http.annotation.Consumes;\nimport io.micronaut.http.annotation.Controller;\nimport io.micronaut.http.annotation.Get;\nimport io.micronaut.http.annotation.Post;\nimport io.micronaut.http.annotation.Produces;\n\nimport java.net.URI;\n\n@Controller\nclass HomeController {\n\n    @Produces(MediaType.TEXT_HTML)\n    @Get\n    String index() {\n        return \"\"\"\n                \u003c!DOCTYPE html\u003e\n                \u003chtml\u003e\n                \u003chead\u003e\n                \u003ctitle\u003e\u003c/title\u003e\n                \u003c/head\u003e\n                \u003cbody\u003e\n    \u003cform action=\"/submit\" method=\"post\"\u003e\n      \u003clabel for=\"firstAuthor\"\u003eFist Author\u003c/label\u003e\n      \u003cinput id=\"firstAuthor\" name=\"authors[0].name\" type=\"text\"/\u003e\n\n      \u003clabel for=\"secondAuthor\"\u003eSecond Author\u003c/label\u003e\n      \u003cinput id=\"secondAuthor\" name=\"authors[1].name\" type=\"text\"/\u003e\n      \n      \u003clabel for=\"thirdAuthor\"\u003eThird Author\u003c/label\u003e\n      \u003cinput id=\"thirdAuthor\" name=\"authors[2].name\" type=\"text\"/\u003e\n\n      \u003cbutton type=\"submit\"\u003eSubmit\u003c/button\u003e\n    \u003c/form\u003e\n               \n                \u003c/body\u003e\n                \u003c/html\u003e\n                \"\"\";\n    }\n\n    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)\n    @Post(\"/submit\")\n    HttpResponse\u003c?\u003e submit(@Body Book book) {\n        return HttpResponse.seeOther(URI.create(\"/\"));\n    }\n}\npackage dosform;\n\nimport io.micronaut.core.annotation.Introspected;\n\nimport java.util.Objects;\n\n@Introspected\npublic class Author {\n    private String name;\n    public String getName() { return name; }\n    public void setName(String name) { this.name = name; }\n\n    @Override\n    public final boolean equals(Object o) {\n        if (!(o instanceof Author)) return false;\n\n        Author author = (Author) o;\n        return Objects.equals(name, author.name);\n    }\n\n    @Override\n    public int hashCode() {\n        return Objects.hashCode(name);\n    }\n\n    @Override\n    public String toString() {\n        return \"Author{\" +\n                \"name=\u0027\" + name + \u0027\\\u0027\u0027 +\n                \u0027}\u0027;\n    }\n}\npackage dosform;\n\nimport io.micronaut.core.annotation.Introspected;\n\nimport java.util.List;\nimport java.util.Objects;\n\n@Introspected\npublic class Book {\n    private List\u003cAuthor\u003e authors;\n    public List\u003cAuthor\u003e getAuthors() { return authors; }\n    public void setAuthors(List\u003cAuthor\u003e authors) { this.authors = authors; }\n\n    @Override\n    public final boolean equals(Object o) {\n        if (!(o instanceof Book)) return false;\n\n        Book book = (Book) o;\n        return Objects.equals(authors, book.authors);\n    }\n\n    @Override\n    public int hashCode() {\n        return Objects.hashCode(authors);\n    }\n\n    @Override\n    public String toString() {\n        return \"Book{\" +\n                \"authors=\" + authors +\n                \u0027}\u0027;\n    }\n}\n```\n\nSending `curl -v -X POST \u0027http://127.0.0.1:8080/submit\u0027 -H \u0027Content-Type: application/x-www-form-urlencoded\u0027 --data-urlencode \u0027authors[1].name=RobertGalbraith\u0027 --data-urlencode \u0027authors[0].name=JKRowling\u0027` causes sustained CPU usage and unbounded memory growth (eventually `OutOfMemoryError`). \n\n### Patches\nFor Micronaut 4, the problem has been patched in `micronaut-core`, dependencies with group id `io.micronaut`, since [4.10.16](https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.16).\n\nFor Micronaut 3, the problem has been patched since [3.10.5](https://github.com/micronaut-projects/micronaut-core/releases/tag/v3.10.5)\n\nUsers upgrade to the latest version of the framework. \n\n### Workarounds\nThere is no way for users to fix or remediate the vulnerability without upgrading.\n\n### References\nPR Fix: https://github.com/micronaut-projects/micronaut-core/pull/12410",
  "id": "GHSA-43w5-mmxv-cpvh",
  "modified": "2026-03-31T18:45:02Z",
  "published": "2026-03-17T16:59:59Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-43w5-mmxv-cpvh"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33013"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/pull/12410"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/commit/1afe509677c51b320041b7a2c177366d4a4deb55"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/micronaut-projects/micronaut-core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v3.10.5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.16"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.