Shblue21

**Name of the Vulnerable Software and Affected Versions** Micronaut Framework versions 4.7.0 through 4.10.16 **Description** The Micronaut Framework, a JVM-based full stack Java framework, is affected by a denial-of-service issue. The `DefaultHtmlErrorResponseBodyProvider` component used an unbounded `ConcurrentHashMap` cache without an eviction policy. If an application throws an exception with a message influenced by an attacker – for example, through request query parameters – this could lead to uncontrolled heap growth and an OutOfMemoryError, resulting in a denial of service. The vulnerable component is `DefaultHtmlErrorResponseBodyProvider` within `io.micronaut:micronaut-http-server`. The vulnerable parameter is the exception message, which can be influenced by attacker-controlled input. **Recommendations** Versions prior to 4.10.7 are vulnerable. Update to version 4.10.7 or later to resolve the issue.

**Name of the Vulnerable Software and Affected Versions** Micronaut Framework versions prior to 4.10.16 and prior to 3.10.5 **Description** The Micronaut Framework does not handle descending array index order correctly during form-urlencoded body binding within the `JsonBeanPropertyBinder::expandArrayToThreshold` function. This can allow a remote attacker to cause a denial of service (DoS) condition, characterized by a non-terminating loop, CPU exhaustion, and an OutOfMemoryError. The issue occurs when crafted indexed form parameters are submitted, such as `authors[1].name` followed by `authors[0].name`. The affected component is `io.micronaut:micronaut-json-core`. Submitting a POST request with manipulated form parameters can lead to sustained CPU usage and unbounded memory growth. **Recommendations** Versions prior to 4.10.16 must be upgraded to version 4.10.16 or later. Versions prior to 3.10.5 must be upgraded to version 3.10.5 or later.

**Name of the Vulnerable Software and Affected Versions** Echo versions 5.0.0 through 5.0.2 **Description** Echo, a Go web framework, has an issue where the `middleware.Static` component, when used with the default filesystem on Windows, allows path traversal through backslashes. This enables unauthenticated remote file read outside the designated static root. The requested path is processed using `path.Clean`, which does not recognize backslashes as path separators, leaving `..` sequences intact. Subsequently, `os.Open` on Windows interprets these backslashes as separators, enabling traversal beyond the intended static root. The `middleware/static.go` file and the `echo.go` file are relevant to this issue. **Recommendations** Update to Echo version 5.0.3 or later.