CVE-2026-33012: Micronaut Framework vulnerable to a Denial of Service in HTML error response caching
(updated )
DefaultHtmlErrorResponseBodyProvider in io.micronaut:micronaut-http-server since 4.7.0 and until 4.10.7 used an unbounded ConcurrentHashMap cache with no eviction policy. If the application throws an exception whose message may be influenced by an attacker, for example, including request query value parameters, this could be used by remote attackers
to cause a denial of service (unbounded heap growth and OutOfMemoryError).
Fixed via: https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3
References
- github.com/advisories/GHSA-2hcp-gjrf-7fhc
- github.com/micronaut-projects/micronaut-core
- github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3
- github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17
- github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-2hcp-gjrf-7fhc
- nvd.nist.gov/vuln/detail/CVE-2026-33012
Code Behaviors & Features
Detect and mitigate CVE-2026-33012 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →