CVE-2026-33012

Name of the Vulnerable Software and Affected Versions Micronaut Framework versions 4.7.0 through 4.10.16

Description The Micronaut Framework, a JVM-based full stack Java framework, is affected by a denial-of-service issue. The DefaultHtmlErrorResponseBodyProvider component used an unbounded ConcurrentHashMap cache without an eviction policy. If an application throws an exception with a message influenced by an attacker – for example, through request query parameters – this could lead to uncontrolled heap growth and an OutOfMemoryError, resulting in a denial of service. The vulnerable component is DefaultHtmlErrorResponseBodyProvider within io.micronaut:micronaut-http-server. The vulnerable parameter is the exception message, which can be influenced by attacker-controlled input.

Recommendations Versions prior to 4.10.7 are vulnerable. Update to version 4.10.7 or later to resolve the issue.