Skip to main content

Red Hat CVE-2026-33012

HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-03-17 https://github.com/micronaut-projects/micronaut-core GHSA-2hcp-gjrf-7fhc
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 18:39 nvd
HIGH 7.5

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 7 maven packages depend on io.micronaut:micronaut-http-server (5 direct, 2 indirect)

Ecosystem-wide dependent count for version 4.7.0.

DescriptionGitHub Advisory

DefaultHtmlErrorResponseBodyProvider in io.micronaut:micronaut-http-server since 4.7.0 and until 4.10.7 used an unbounded ConcurrentHashMap cache with no eviction policy. If the application throws an exception whose message may be influenced by an attacker, for example, including request query value parameters, this could be used by remote attackers to cause a denial of service (unbounded heap growth and OutOfMemoryError).

Fixed via: https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3

AnalysisAI

Unbounded heap memory consumption in Micronaut HTTP Server versions 4.7.0 through 4.10.7 allows remote attackers to trigger denial of service via crafted exception messages that pollute an uncapped cache. By manipulating request parameters reflected in error responses, an unauthenticated attacker can exhaust server memory and cause OutOfMemoryError conditions. A patch is available in version 4.10.7 and later.

Technical ContextAI

This vulnerability affects the io.micronaut:micronaut-http-server package (CPE: pkg:maven/io.micronaut:micronaut-http-server), specifically the DefaultHtmlErrorResponseBodyProvider class introduced in version 4.7.0. The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The component caches error responses in a ConcurrentHashMap data structure without implementing any size limits or cache eviction policy. When applications generate exception messages that incorporate user-controlled input (such as request query parameters), attackers can systematically trigger unique exceptions, each creating a new cache entry. This leads to unbounded memory consumption as the cache grows indefinitely, eventually exhausting heap memory and causing the application to crash with OutOfMemoryError.

RemediationAI

Upgrade io.micronaut:micronaut-http-server to version 4.10.7 or later, specifically version 4.10.17 which is referenced in the release notes at https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17. The fix is available through the patch committed at https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3, which implements proper cache bounds and eviction policy. Organizations unable to immediately upgrade should implement application-level mitigations including rate limiting on error-triggering endpoints, input validation to prevent injection of arbitrary values into exception messages, and monitoring of heap memory usage with alerts configured for abnormal growth patterns. Consider implementing WAF rules to detect and block repeated requests designed to trigger unique exceptions.

Vendor StatusVendor

Share

CVE-2026-33012 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy