CVE-2026-33013

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-33013
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33013.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-33013
Aliases
Published
2026-03-20T04:47:42.768Z
Modified
2026-04-10T05:43:08.574858Z
Severity
  • 8.2 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices
Details

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.

Database specific 
{
    "cwe_ids": [
        "CWE-835"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/33xxx/CVE-2026-33013.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/micronaut-projects/micronaut-core

Affected ranges

Type
GIT
Repo
https://github.com/micronaut-projects/micronaut-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
1afe509677c51b320041b7a2c177366d4a4deb55
Type
GIT
Repo
https://github.com/micronaut-projects/micronaut-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
df467a445d6bc1951261f8176d16e2fdb7664a73
Type
GIT
Repo
https://github.com/micronaut-projects/micronaut-core
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
ce658f16c2aee3b1ceddcc50d0e10bdcbb9177ff

Affected versions

v1.*
v1.0.0
v1.0.0.M1
v1.0.0.M2
v1.0.0.M3
v1.0.0.M4
v1.0.0.RC2
v1.0.0.RC3
v1.1.0.M1
v1.1.0.M2
v1.1.0.RC1
v1.1.0.RC2
v1.2.0
v1.2.0.RC1
v1.2.0.RC2
v1.3.0
v1.3.0.M1
v1.3.0.M2
v1.3.0.RC1
v1.3.0.TEST
v2.*
v2.0.0
v2.0.0.RC1
v2.0.0.RC2
v2.0.1
v3.*
v3.0.0
v3.0.0-M2
v3.0.0-M4
v3.0.0-M5
v3.0.0-RC1
v3.1.0
v3.10.0
v3.10.1
v3.10.2
v3.10.3
v3.10.4
v3.2.0
v3.3.0-M1
v3.4.0
v3.5.0
v3.6.0
v3.7.0
v3.8.0
v3.9.0
v4.*
v4.0.0-M1
v4.0.0-M2
v4.0.0-M3
v4.0.0-M4
v4.0.0-M5
v4.0.0-M6
v4.0.0-M7
v4.0.0-RC1
v4.1.0
v4.10.0
v4.10.1
v4.10.10
v4.10.11
v4.10.12
v4.10.13
v4.10.14
v4.10.15
v4.10.2
v4.10.3
v4.10.4
v4.10.5
v4.10.6
v4.10.7
v4.10.8
v4.10.9
v4.3.0
v4.3.1
v4.3.2
v4.3.3
v4.3.4
v4.4.0
v4.4.1
v4.5.0
v4.5.1
v4.5.2
v4.5.3
v4.6.0
v4.6.1
v4.7.0

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-33013.json"