Description
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7.
Published: 2026-03-20
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via unbounded cache causing heap exhaustion
Action: Immediate Patch
AI Analysis

Impact

An unbounded ConcurrentHashMap was used in the DefaultHtmlErrorResponseBodyProvider of Micronaut Framework versions 4.7.0 to 4.10.16. When an exception occurs and its message can be influenced by an attacker—such as by including data from request query parameters—the framework will repeatedly store these messages in the map. Because the map has no eviction policy, it will grow without bound until the JVM runs out of memory, resulting in an OutOfMemoryError that crashes the application and denies service to legitimate users. This weakness is a classic memory allocation issue, classified as CWE‑770.

Affected Systems

The vulnerability affects the Micronaut Framework open‑source library, specifically micronaut-core from versions 4.7.0 through 4.10.16. The fix was introduced in version 4.10.7 and is included in later releases such as 4.10.17. Any project that incorporates a vulnerable Micronaut core package and allows unfiltered exception messages exposed to external input is potentially impacted.

Risk and Exploitability

The CVSS base score is 7.5, indicating a high severity. The EPSS score is below 1%, suggesting that exploitation is unlikely but still possible. The flaw is not listed in CISA’s KEV catalog. An attacker can trigger the denial of service remotely by crafting HTTP requests that cause an exception whose message contains attacker‑controlled data, leading the application to grow its internal cache until memory exhaustion. The exploitation prerequisites are minimal—access to the public interface that can provoke such an exception and the ability to observe the resulting OutOfMemoryError via resource unavailability or application crash logs.

Generated by OpenCVE AI on March 24, 2026 at 22:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade micronaut-core to version 4.10.7 or newer, such as 4.10.17, which removes the unbounded cache
  • Verify that exception messages no longer include user‑controlled data to eliminate the trigger for the cache growth
  • After upgrading, monitor application heap usage to confirm that the issue has been resolved and that no new memory growth patterns emerge

Generated by OpenCVE AI on March 24, 2026 at 22:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2hcp-gjrf-7fhc Micronaut Framework vulnerable to a Denial of Service in HTML error response caching
History

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Objectcomputing
Objectcomputing micronaut
CPEs cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*
Vendors & Products Objectcomputing
Objectcomputing micronaut

Fri, 20 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Micronaut-projects
Micronaut-projects micronaut-core
Vendors & Products Micronaut-projects
Micronaut-projects micronaut-core

Fri, 20 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7.
Title Micronaut Framework vulnerable to a Denial of Service in HTML error response caching
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Micronaut-projects Micronaut-core
Objectcomputing Micronaut
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-20T16:02:36.357Z

Reserved: 2026-03-17T17:22:14.665Z

Link: CVE-2026-33012

cve-icon Vulnrichment

Updated: 2026-03-20T16:02:23.985Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T05:16:15.200

Modified: 2026-03-24T21:21:44.597

Link: CVE-2026-33012

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T04:43:07Z

Links: CVE-2026-33012 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:16Z

Weaknesses