Red Hat CVE-2026-33012
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 7 maven packages depend on io.micronaut:micronaut-http-server (5 direct, 2 indirect)
Ecosystem-wide dependent count for version 4.7.0.
DescriptionGitHub Advisory
DefaultHtmlErrorResponseBodyProvider in io.micronaut:micronaut-http-server since 4.7.0 and until 4.10.7 used an unbounded ConcurrentHashMap cache with no eviction policy. If the application throws an exception whose message may be influenced by an attacker, for example, including request query value parameters, this could be used by remote attackers to cause a denial of service (unbounded heap growth and OutOfMemoryError).
Fixed via: https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3
AnalysisAI
Unbounded heap memory consumption in Micronaut HTTP Server versions 4.7.0 through 4.10.7 allows remote attackers to trigger denial of service via crafted exception messages that pollute an uncapped cache. By manipulating request parameters reflected in error responses, an unauthenticated attacker can exhaust server memory and cause OutOfMemoryError conditions. A patch is available in version 4.10.7 and later.
Technical ContextAI
This vulnerability affects the io.micronaut:micronaut-http-server package (CPE: pkg:maven/io.micronaut:micronaut-http-server), specifically the DefaultHtmlErrorResponseBodyProvider class introduced in version 4.7.0. The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The component caches error responses in a ConcurrentHashMap data structure without implementing any size limits or cache eviction policy. When applications generate exception messages that incorporate user-controlled input (such as request query parameters), attackers can systematically trigger unique exceptions, each creating a new cache entry. This leads to unbounded memory consumption as the cache grows indefinitely, eventually exhausting heap memory and causing the application to crash with OutOfMemoryError.
RemediationAI
Upgrade io.micronaut:micronaut-http-server to version 4.10.7 or later, specifically version 4.10.17 which is referenced in the release notes at https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17. The fix is available through the patch committed at https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3, which implements proper cache bounds and eviction policy. Organizations unable to immediately upgrade should implement application-level mitigations including rate limiting on error-triggering endpoints, input validation to prevent injection of arbitrary values into exception messages, and monitoring of heap memory usage with alerts configured for abnormal growth patterns. Consider implementing WAF rules to detect and block repeated requests designed to trigger unique exceptions.
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-2hcp-gjrf-7fhc