An unbounded bundleCache in Micronaut Framework’s ResourceBundleMessageSource allows an unauthenticated attacker to exhaust heap memory by sending HTTP requests with a large number of unique Accept-Language header values. Each distinct value creates a new cache entry keyed by (Locale, baseName), and since the cache is unbounded, repeated requests can consume all available memory, causing the application to become unresponsive or terminate. This flaw is categorized as CWE-400, representing uncontrolled resource consumption.

The vulnerability affects deployments of micronaut-core before version 4.10.22 where a ResourceBundleMessageSource bean is explicitly registered and the application serves HTML error responses. Applications built on Micronaut Framework that include this bean and expose Accept‑Language processing fall within the impact scope.

The CVSS score of 3.7 indicates a moderate severity, primarily due to the denial‑of‑service impact and lack of privileged escalation or data exfiltration. EPSS data is unavailable, so the likelihood of exploitation cannot be quantified, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is via any HTTP request with a crafted Accept‑Language header; no authentication or special network conditions are required. Attackers can achieve service disruption by exhausting heap memory, which may further affect co‑resident processes or trigger heap dumps that expose sensitive data during crash analysis.