CVE-2026-33012

HIGH

Micronaut Framework vulnerable to a Denial of Service in HTML error response caching

Title source: cna

Description

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7.

References (3)

[X_Refsource_Confirm] https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc

[X_Refsource_Misc] https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3

View Writeup ZIP pw:eip

[X_Refsource_Misc] https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17

Scores

CVSS v3 7.5

EPSS 0.0005

EPSS Percentile 16.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-770

Status published

Products (3)

io.micronaut/micronaut-http-server 4.7.0 - 4.10.17Maven

micronaut-projects/micronaut-core >= 4.7.0, < 4.10.17

objectcomputing/micronaut 4.7.0 - 4.10.17

Published Mar 20, 2026

Tracked Since Mar 20, 2026