DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-387M-935M-C4VW: GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client

GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client

Vulnerability ID: GHSA-387M-935M-C4VW
CVSS Score: 7.5
Published: 2026-07-09

The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.

TL;DR

A missing ceiling on HTTP redirections in Micronaut's Netty HTTP Client allows a remote server to trap the client in an infinite loop, causing severe Denial of Service through thread and resource starvation.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-835
  • Attack Vector: Network
  • CVSS v3.1: 7.5
  • Impact: Denial of Service (Availability: High)
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • io.micronaut:micronaut-http-client
  • Micronaut Framework HTTP Client
  • Netty-based Micronaut HTTP Client
  • micronaut-http-client: < 3.10.7 (Fixed in: 3.10.7)
  • micronaut-http-client: >= 4.0.0-M1, < 4.10.24 (Fixed in: 4.10.24)
  • micronaut-http-client: >= 5.0.0-M1, < 5.0.1 (Fixed in: 5.0.1)

Code Analysis

Commit: c06a271

Enforce configurable max redirect limit on Netty-based HTTP client for Micronaut 3

Commit: f1dffff

Add redirection counting limits in HTTP client execution flows for Micronaut 4

Commit: 6e88a97

Fix infinite redirect loop in Netty HTTP client by verifying redirection depths in Micronaut 5

Exploit Details

  • GitHub Security Advisory: The advisory contains reproduction tests in Spock (RedirectLoopSpec.groovy) and JUnit verification parameters confirming the infinite looping behavior.

Mitigation Strategies

  • Upgrade the Micronaut platform or HTTP Client library to the recommended fixed versions.
  • Disable the automatic redirect-following option globally in application configurations.
  • Implement programmatically bounded, manual redirection logic to validate target domains before requesting them.
  • Configure strict egress firewalls to restrict the destinations that HTTP client services can access.

Remediation Steps:

  1. Open the build configuration file (pom.xml or build.gradle) of the target project.
  2. Find the dependencies importing io.micronaut:micronaut-http-client or the Micronaut platform BOM.
  3. Update the version reference to 3.10.7+, 4.10.24+, or 5.0.1+ based on your active major version.
  4. If patching is delayed, open the application configuration file (application.yml) and add 'micronaut.http.client.follow-redirects: false'.
  5. Run integration tests containing the redirect-following logic to confirm that loops are terminated or skipped.

References


Read the full report for GHSA-387M-935M-C4VW on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)