Java
CVE-2026-33013
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 121 maven packages depend on io.micronaut:micronaut-json-core (9 direct, 112 indirect)
Ecosystem-wide dependent count for version 4.0.0-M1.
DescriptionGitHub Advisory
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
AnalysisAI
The Micronaut Framework contains an infinite loop vulnerability in its form-urlencoded body binding mechanism that occurs when array indices are processed in descending order, allowing remote attackers to trigger denial of service through CPU exhaustion and out-of-memory conditions. Versions prior to 4.10.16 and 3.10.5 are affected, with the vulnerability exploitable by sending crafted indexed form parameters without authentication. No public exploit code has been confirmed, but the issue is straightforward to trigger and has been patched in the referenced versions.
Technical ContextAI
The vulnerability exists in the JsonBeanPropertyBinder::expandArrayToThreshold method within the Micronaut Framework, a JVM-based microservices framework for building Java applications. The root cause is classified as CWE-835 (Loop with Unreachable Exit Condition), where the array expansion logic fails to correctly handle descending index ordering in form-urlencoded POST body parameters. When parameters like 'authors[1].name' are received before 'authors[0].name', the binding mechanism enters an infinite loop attempting to expand the array to accommodate indices, consuming CPU cycles and memory until resource exhaustion occurs. This impacts all Micronaut-based applications that accept form-urlencoded input and perform automatic bean property binding without input validation.
RemediationAI
Upgrade Micronaut Framework to version 4.10.16 or later for 4.x deployments, or to version 3.10.5 or later for 3.x deployments. Update the dependency in your build configuration (Maven pom.xml or Gradle build.gradle) and redeploy affected services. For immediate mitigation before patching is possible, implement input validation on form-urlencoded parameters to reject requests with unexpected array indices or limit the maximum array size processed by the binder. Additionally, deploy a Web Application Firewall or reverse proxy configured to detect and block suspicious indexed form parameters (e.g., parameters with indices exceeding a reasonable threshold). Network segmentation restricting access to the affected application endpoints can reduce attack surface. Refer to the official patch releases at https://github.com/micronaut-projects/micronaut-core/releases/tag/v3.10.5 and https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.16 for deployment guidance.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
GHSA-43w5-mmxv-cpvh