VYPR
High severityNVD Advisory· Published Mar 20, 2026· Updated Mar 25, 2026

Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices

CVE-2026-33013

Description

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
io.micronaut:micronaut-json-coreMaven
>= 4.0.0-M1, < 4.10.164.10.16
io.micronaut:micronaut-json-coreMaven
>= 3.9.0, < 3.10.53.10.5
io.micronaut:micronaut-json-coreMaven
< 3.8.133.8.13

Affected products

2

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.