Vulnerability Description
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Objectcomputing | Micronaut | < 3.10.5 |
Related Weaknesses (CWE)
References
- https://github.com/micronaut-projects/micronaut-core/commit/1afe509677c51b320041Patch
- https://github.com/micronaut-projects/micronaut-core/pull/12410Issue Tracking
- https://github.com/micronaut-projects/micronaut-core/releases/tag/v3.10.5Release Notes
- https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.16Release Notes
- https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-43ExploitPatchVendor Advisory
FAQ
What is CVE-2026-33013?
CVE-2026-33013 is a vulnerability with a CVSS score of 7.5 (HIGH). Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descendi...
How severe is CVE-2026-33013?
CVE-2026-33013 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-33013?
Check the references section above for vendor advisories and patch information. Affected products include: Objectcomputing Micronaut.