DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-43W5-MMXV-CPVH: GHSA-43W5-MMXV-CPVH: Denial of Service via Infinite Loop in Micronaut Data Binding

#security #cve #cybersecurity #ghsa

GHSA-43W5-MMXV-CPVH: Denial of Service via Infinite Loop in Micronaut Data Binding

Vulnerability ID: GHSA-43W5-MMXV-CPVH
CVSS Score: 7.5
Published: 2026-03-17

The Micronaut Framework contains a Denial of Service (DoS) vulnerability within its form-urlencoded data binding mechanism. Specifically, the JsonBeanPropertyBinder class improperly handles descending array indices during parameter parsing, leading to an infinite loop and subsequent resource exhaustion. This flaw affects Micronaut 3.x versions prior to 3.10.5 and 4.x versions prior to 4.10.16.

TL;DR

A logic flaw in Micronaut's data binder allows unauthenticated attackers to cause an infinite loop by sending out-of-order array indices in form-urlencoded requests, leading to CPU exhaustion and application crashes.

⚠️ Exploit Status: POC

Technical Details

  • Vulnerability Type: Denial of Service (DoS)
  • CWE ID: CWE-835
  • Attack Vector: Network (HTTP POST)
  • Impact: CPU Exhaustion and OutOfMemoryError (Crash)
  • Authentication Required: None
  • Patched Versions: 3.10.5, 4.10.16

Affected Systems

  • Micronaut Framework 3.x
  • Micronaut Framework 4.x
  • io.micronaut:micronaut-json-core
  • Micronaut Framework: 3.0.0 <= 3.10.4 (Fixed in: 3.10.5)
  • Micronaut Framework: 4.0.0 <= 4.10.15 (Fixed in: 4.10.16)

Code Analysis

Commit: 1afe509

Fix infinite loop in JsonBeanPropertyBinder when array indices are out of order

Mitigation Strategies

  • Upgrade the Micronaut Framework to a patched version (3.10.5 or 4.10.16).
  • Implement application-level rate limiting on endpoints accepting form-urlencoded data.
  • Configure JVM parameters to fail fast and restart the application upon encountering an OutOfMemoryError.
  • Monitor application performance metrics for anomalous CPU spikes paired with high heap allocation rates.

Remediation Steps:

  1. Identify all projects utilizing the Micronaut Framework.
  2. Determine the major version of Micronaut currently in use (3.x or 4.x).
  3. Update the project build file (build.gradle or pom.xml) to enforce the minimum safe version.
  4. Recompile and run the application test suite to verify compatibility.
  5. Deploy the updated application to production environments.

References

Read the full report for GHSA-43W5-MMXV-CPVH on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)