CVE-2026-33013

Name of the Vulnerable Software and Affected Versions Micronaut Framework versions prior to 4.10.16 and prior to 3.10.5

Description The Micronaut Framework does not handle descending array index order correctly during form-urlencoded body binding within the JsonBeanPropertyBinder::expandArrayToThreshold function. This can allow a remote attacker to cause a denial of service (DoS) condition, characterized by a non-terminating loop, CPU exhaustion, and an OutOfMemoryError. The issue occurs when crafted indexed form parameters are submitted, such as authors[1].name followed by authors[0].name. The affected component is io.micronaut:micronaut-json-core. Submitting a POST request with manipulated form parameters can lead to sustained CPU usage and unbounded memory growth.

Recommendations Versions prior to 4.10.16 must be upgraded to version 4.10.16 or later. Versions prior to 3.10.5 must be upgraded to version 3.10.5 or later.