CVE-2026-33013 in micronaut-core
Summary
by MITRE • 03/20/2026
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/26/2026
The vulnerability CVE-2026-33013 affects the Micronaut Framework, a popular JVM-based full stack Java framework used for building modular and testable applications. This security flaw resides in the JsonBeanPropertyBinder::expandArrayToThreshold method which incorrectly processes descending array index order during form-urlencoded body binding operations. The issue manifests when the framework encounters crafted indexed form parameters where array indices are provided in descending order rather than the expected ascending sequence. This improper handling creates a condition where the framework enters a non-terminating loop during parameter processing, leading to significant system resource exhaustion.
The technical implementation of this vulnerability stems from inadequate boundary checking and array index validation within the form binding mechanism. When processing form data containing indexed parameters such as authors[1].name followed by authors[0].name, the framework's array expansion logic fails to properly validate the descending index sequence. This flaw creates a logic error in the expandArrayToThreshold method where the framework attempts to expand array structures based on malformed index ordering, resulting in infinite loops that consume excessive CPU cycles and memory resources. The vulnerability specifically targets the framework's ability to process form-encoded data through its HTTP request handling pipeline, making it particularly dangerous in web application environments where user input is directly processed.
The operational impact of this vulnerability is severe and can result in complete system unavailability through various forms of denial of service. Remote attackers can exploit this weakness by submitting specifically crafted form parameters that trigger the non-terminating loop condition, causing the application server to exhaust CPU resources and potentially leading to OutOfMemoryError exceptions. This type of attack can be executed without authentication requirements and can affect any application built on the affected Micronaut Framework versions, making it a critical concern for organizations relying on this technology stack. The vulnerability's exploitation can lead to cascading failures in application availability and performance degradation across the entire system.
Mitigation strategies for CVE-2026-33013 primarily involve upgrading to the patched versions of the Micronaut Framework, specifically version 4.10.16 or 3.10.5, which contain the necessary fixes for the array index handling logic. Organizations should also implement input validation mechanisms at the application level to sanitize form parameters before they reach the framework's binding layer. Additionally, monitoring systems should be configured to detect unusual CPU usage patterns and memory allocation spikes that may indicate exploitation attempts. Security teams should conduct comprehensive vulnerability assessments of their Micronaut-based applications and ensure all instances are updated to prevent potential exploitation. This vulnerability aligns with CWE-835 which addresses the issue of loops with insufficient loop condition checks, and represents a significant concern under the ATT&CK framework's privilege escalation and denial of service tactics, particularly in the context of application layer attacks targeting Java web frameworks.