CVE-2026-33013
Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
34th
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
| CWE | CWE-835 |
| Vendor | micronaut-projects |
| Product | micronaut-core |
| Published | Mar 20, 2026 |
| Last Updated | Mar 25, 2026 |
Stay Ahead of the Next One
Get instant alerts for micronaut-projects micronaut-core
Be the first to know when new unknown vulnerabilities affecting micronaut-projects micronaut-core are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
micronaut-projects / micronaut-core
>= 4.0.0-M1, < 4.10.16 < 3.10.5
References
github.com: https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-43w5-mmxv-cpvh github.com: https://github.com/micronaut-projects/micronaut-core/pull/12410 github.com: https://github.com/micronaut-projects/micronaut-core/commit/1afe509677c51b320041b7a2c177366d4a4deb55 github.com: https://github.com/micronaut-projects/micronaut-core/releases/tag/v3.10.5 github.com: https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.16