logo

Database

Asymmetric denial of service In io.micronaut:micronaut-http-server

Description

Micronaut Framework vulnerable to a Denial of Service in HTML error response caching DefaultHtmlErrorResponseBodyProvider in io.micronaut:micronaut-http-server since 4.7.0 and until 4.10.7 used an unbounded ConcurrentHashMap cache with no eviction policy. If the application throws an exception whose message may be influenced by an attacker, for example, including request query value parameters, this could be used by remote attackers to cause a denial of service (unbounded heap growth and OutOfMemoryError).

Fixed via: https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-330122. NVD-2026-330123. OSV-2026-330124. GHSA-2hcp-gjrf-7fhc5. GCVE-2026-33012

References

1. https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc2. https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b33. https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.