CVE-2026-33012 (GCVE-0-2026-33012)
Vulnerability from cvelistv5 – Published: 2026-03-20 04:43 – Updated: 2026-03-20 16:02
VLAI?
Title
Micronaut Framework vulnerable to a Denial of Service in HTML error response caching
Summary
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7.
Severity ?
7.5 (High)
CWE
- CWE-770 - Allocation of Resources Without Limits or Throttling
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| micronaut-projects | micronaut-core |
Affected:
>= 4.7.0, < 4.10.17
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33012",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T15:59:33.202875Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T16:02:36.357Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "micronaut-core",
"vendor": "micronaut-projects",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.10.17"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-770",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T04:43:07.809Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc"
},
{
"name": "https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3"
},
{
"name": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17"
}
],
"source": {
"advisory": "GHSA-2hcp-gjrf-7fhc",
"discovery": "UNKNOWN"
},
"title": "Micronaut Framework vulnerable to a Denial of Service in HTML error response caching"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33012",
"datePublished": "2026-03-20T04:43:07.809Z",
"dateReserved": "2026-03-17T17:22:14.665Z",
"dateUpdated": "2026-03-20T16:02:36.357Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33012\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T05:16:15.200\",\"lastModified\":\"2026-03-24T21:21:44.597\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7.\"},{\"lang\":\"es\",\"value\":\"Micronaut Framework es un framework Java de pila completa basado en JVM dise\u00f1ado para construir aplicaciones JVM modulares y f\u00e1cilmente testeables. Las versiones 4.7.0 a la 4.10.16 usaban una cach\u00e9 ConcurrentHashMap ilimitada sin pol\u00edtica de desalojo en su DefaultHtmlErrorResponseBodyProvider. Si la aplicaci\u00f3n lanza una excepci\u00f3n cuyo mensaje puede ser influenciado por un atacante, (por ejemplo, incluyendo par\u00e1metros de valor de consulta de solicitud) podr\u00eda ser usado por atacantes remotos para causar un crecimiento de heap ilimitado y OutOfMemoryError, lo que lleva a DoS. Este problema ha sido solucionado en la versi\u00f3n 4.10.7.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-770\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:objectcomputing:micronaut:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.7.0\",\"versionEndExcluding\":\"4.10.17\",\"matchCriteriaId\":\"C50C427C-305C-4A11-A5F5-E1AEB19AD09D\"}]}]}],\"references\":[{\"url\":\"https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Release Notes\"]},{\"url\":\"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33012\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-20T15:59:33.202875Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-20T16:02:23.985Z\"}}], \"cna\": {\"title\": \"Micronaut Framework vulnerable to a Denial of Service in HTML error response caching\", \"source\": {\"advisory\": \"GHSA-2hcp-gjrf-7fhc\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"micronaut-projects\", \"product\": \"micronaut-core\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.7.0, \u003c 4.10.17\"}]}], \"references\": [{\"url\": \"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc\", \"name\": \"https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3\", \"name\": \"https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17\", \"name\": \"https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions 4.7.0 through 4.10.16 used an unbounded ConcurrentHashMap cache with no eviction policy in its DefaultHtmlErrorResponseBodyProvider. If the application throws an exception whose message may be influenced by an attacker, (for example, including request query value parameters) it could be used by remote attackers to cause an unbounded heap growth and OutOfMemoryError, leading to DoS. This issue has been fixed in version 4.10.7.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-770\", \"description\": \"CWE-770: Allocation of Resources Without Limits or Throttling\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T04:43:07.809Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33012\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-20T16:02:36.357Z\", \"dateReserved\": \"2026-03-17T17:22:14.665Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T04:43:07.809Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…