CVE-2026-33013

EUVD-2026-13553

20.03.2026, 05:16

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.

Infinite Loop

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	7.5 HIGH	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
objectcomputing	micronaut	𝑥 < 3.10.5
objectcomputing	micronaut	4.0.0 ≤ 𝑥 < 4.10.16

𝑥

= Vulnerable software versions

Known Exploits!

https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-43w5-mmxv-cpvh

Common Weakness Enumeration

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References

https://github.com/micronaut-projects/micronaut-core/commit/1afe509677c51b320041b7a2c177366d4a4deb55

https://github.com/micronaut-projects/micronaut-core/pull/12410

https://github.com/micronaut-projects/micronaut-core/releases/tag/v3.10.5

https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.16

https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-43w5-mmxv-cpvh