GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client
Vulnerability ID: GHSA-387M-935M-C4VW
CVSS Score: 7.5
Published: 2026-07-09
The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.
TL;DR
A missing ceiling on HTTP redirections in Micronaut's Netty HTTP Client allows a remote server to trap the client in an infinite loop, causing severe Denial of Service through thread and resource starvation.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-835
- Attack Vector: Network
- CVSS v3.1: 7.5
- Impact: Denial of Service (Availability: High)
- Exploit Status: PoC Available
- KEV Status: Not Listed
Affected Systems
- io.micronaut:micronaut-http-client
- Micronaut Framework HTTP Client
- Netty-based Micronaut HTTP Client
-
micronaut-http-client: < 3.10.7 (Fixed in:
3.10.7) -
micronaut-http-client: >= 4.0.0-M1, < 4.10.24 (Fixed in:
4.10.24) -
micronaut-http-client: >= 5.0.0-M1, < 5.0.1 (Fixed in:
5.0.1)
Code Analysis
Commit: c06a271
Enforce configurable max redirect limit on Netty-based HTTP client for Micronaut 3
Commit: f1dffff
Add redirection counting limits in HTTP client execution flows for Micronaut 4
Commit: 6e88a97
Fix infinite redirect loop in Netty HTTP client by verifying redirection depths in Micronaut 5
Exploit Details
- GitHub Security Advisory: The advisory contains reproduction tests in Spock (RedirectLoopSpec.groovy) and JUnit verification parameters confirming the infinite looping behavior.
Mitigation Strategies
- Upgrade the Micronaut platform or HTTP Client library to the recommended fixed versions.
- Disable the automatic redirect-following option globally in application configurations.
- Implement programmatically bounded, manual redirection logic to validate target domains before requesting them.
- Configure strict egress firewalls to restrict the destinations that HTTP client services can access.
Remediation Steps:
- Open the build configuration file (pom.xml or build.gradle) of the target project.
- Find the dependencies importing io.micronaut:micronaut-http-client or the Micronaut platform BOM.
- Update the version reference to 3.10.7+, 4.10.24+, or 5.0.1+ based on your active major version.
- If patching is delayed, open the application configuration file (application.yml) and add 'micronaut.http.client.follow-redirects: false'.
- Run integration tests containing the redirect-following logic to confirm that loops are terminated or skipped.
References
Read the full report for GHSA-387M-935M-C4VW on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)