Description
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
Published: 2026-03-20
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via non‑terminating loop and OutOfMemoryError triggered by descending array indices in form-urlencoded body binding
Action: Apply Patch
AI Analysis

Impact

Micronaut Framework contains a flaw in its body binder that incorrectly processes descending array indices in form-urlencoded requests. When an attacker supplies indexed parameters such as authors[1].name followed by authors[0].name, the binder enters a non‑terminating loop, exhausting CPU and eventually raising an OutOfMemoryError. This weakness maps to CWE-1285 (Unvalidated Loop Index) and CWE-835 (Infinite Loop).

Affected Systems

All releases of Micronaut Core older than 4.10.16 and 3.10.5 are affected. Any application built with Micronaut projects using the Core framework for request parsing and accepting user‑supplied form data is vulnerable if it remains on an older version.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, but the EPSS score is under 1%, suggesting limited exploit prevalence to date. The vulnerability is not listed in CISA’s KEV catalog. The attack vector is remote: a single crafted HTTP POST request is sufficient to trigger the denial of service. Because the exploit does not require elevated privileges or additional access, administrators should prioritize updating the framework before considering temporary mitigations.

Generated by OpenCVE AI on March 24, 2026 at 22:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Micronaut Core to version 4.10.16 or 3.10.5 or later
  • Verify that all application instances are running the patched version
  • If upgrading cannot be performed immediately, implement request validation to disallow indexed array parameters in form-urlencoded bodies as a temporary measure

Generated by OpenCVE AI on March 24, 2026 at 22:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-43w5-mmxv-cpvh Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices
History

Wed, 25 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 24 Mar 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Objectcomputing
Objectcomputing micronaut
CPEs cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*
Vendors & Products Objectcomputing
Objectcomputing micronaut
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 20 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1285
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Moderate

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Micronaut-projects
Micronaut-projects micronaut-core
Vendors & Products Micronaut-projects
Micronaut-projects micronaut-core

Fri, 20 Mar 2026 05:15:00 +0000

Type Values Removed Values Added
Description Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
Title Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Micronaut-projects Micronaut-core
Objectcomputing Micronaut
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-25T14:23:38.641Z

Reserved: 2026-03-17T17:22:14.665Z

Link: CVE-2026-33013

cve-icon Vulnrichment

Updated: 2026-03-25T14:23:26.829Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-20T05:16:15.380

Modified: 2026-03-24T21:21:26.580

Link: CVE-2026-33013

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-03-20T04:47:42Z

Links: CVE-2026-33013 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:09:15Z

Weaknesses