Micronaut Core DoS via form-urlencoded array index (4.10.15/3.10.4)
CVE-2026-33013 Published on March 20, 2026
Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
Weakness Type
What is an Infinite Loop Vulnerability?
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. If the loop can be influenced by an attacker, this weakness could allow attackers to consume excessive resources such as CPU or memory.
CVE-2026-33013 has been classified to as an Infinite Loop vulnerability or weakness.
Products Associated with CVE-2026-33013
Want to know whenever a new CVE is published for Oracle? stack.watch will email you.
Affected Versions
micronaut-projects micronaut-core:- Version >= 4.0.0-M1, < 4.10.16 is affected.
- Version < 3.10.5 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.