N/A

CVSS Score

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-43w5-mmxv-cpvh

GHSA-43w5-mmxv-cpvh: Micronaut vulnerable to DoS via crafted form-urlencoded body binding with descending array indices

In JsonBeanPropertyBinder::expandArrayToThreshold in io.micronaut:micronaut-json-core before Micronaut 4 4.10.16 and in Micronaut 3 before 3.10.5 does not correctly handle descending array index order during form-urlencoded body binding, which allows remote attackers to cause a denial of service (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name).

Example

With such an application

package dosform;

import io.micronaut.http.HttpResponse;
import io.micronaut.http.MediaType;
import io.micronaut.http.annotation.Body;
import io.micronaut.http.annotation.Consumes;
import io.micronaut.http.annotation.Controller;
import io.micronaut.http.annotation.Get;
import io.micronaut.http.annotation.Post;
import io.micronaut.http.annotation.Produces;

import java.net.URI;

@Controller
class HomeController {

    @Produces(MediaType.TEXT_HTML)
    @Get
    String index() {
        return """
                <!DOCTYPE html>
                <html>
                <head>
                <title></title>
                </head>
                <body>
    <form action="/submit" method="post">
      <label for="firstAuthor">Fist Author</label>
      <input id="firstAuthor" name="authors[0].name" type="text"/>

      <label for="secondAuthor">Second Author</label>
      <input id="secondAuthor" name="authors[1].name" type="text"/>
      
      <label for="thirdAuthor">Third Author</label>
      <input id="thirdAuthor" name="authors[2].name" type="text"/>

      <button type="submit">Submit</button>
    </form>
               
                </body>
                </html>
                """;
    }

    @Consumes(MediaType.APPLICATION_FORM_URLENCODED)
    @Post("/submit")
    HttpResponse<?> submit(@Body Book book) {
        return HttpResponse.seeOther(URI.create("/"));
    }
}
package dosform;

import io.micronaut.core.annotation.Introspected;

import java.util.Objects;

@Introspected
public class Author {
    private String name;
    public String getName() { return name; }
    public void setName(String name) { this.name = name; }

    @Override
    public final boolean equals(Object o) {
        if (!(o instanceof Author)) return false;

        Author author = (Author) o;
        return Objects.equals(name, author.name);
    }

    @Override
    public int hashCode() {
        return Objects.hashCode(name);
    }

    @Override
    public String toString() {
        return "Author{" +
                "name='" + name + '\'' +
                '}';
    }
}
package dosform;

import io.micronaut.core.annotation.Introspected;

import java.util.List;
import java.util.Objects;

@Introspected
public class Book {
    private List<Author> authors;
    public List<Author> getAuthors() { return authors; }
    public void setAuthors(List<Author> authors) { this.authors = authors; }

    @Override
    public final boolean equals(Object o) {
        if (!(o instanceof Book)) return false;

        Book book = (Book) o;
        return Objects.equals(authors, book.authors);
    }

    @Override
    public int hashCode() {
        return Objects.hashCode(authors);
    }

    @Override
    public String toString() {
        return "Book{" +
                "authors=" + authors +
                '}';
    }
}

Sending curl -v -X POST 'http://127.0.0.1:8080/submit' -H 'Content-Type: application/x-www-form-urlencoded' --data-urlencode 'authors[1].name=RobertGalbraith' --data-urlencode 'authors[0].name=JKRowling' causes sustained CPU usage and unbounded memory growth (eventually OutOfMemoryError).

Patches

For Micronaut 4, the problem has been patched in micronaut-core, dependencies with group id io.micronaut, since 4.10.16.

For Micronaut 3, the problem has been patched since 3.10.5

Users upgrade to the latest version of the framework.

Workarounds

There is no way for users to fix or remediate the vulnerability without upgrading.

References

PR Fix: https://github.com/micronaut-projects/micronaut-core/pull/12410

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-43w5-mmxv-cpvh

GHSA-43w5-mmxv-cpvh:

N/A

CVSS Score

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
io.micronaut:micronaut-json-core	maven	>= 4.0.0-M1, < 4.10.16	4.10.16
io.micronaut:micronaut-json-core	maven	< 3.10.5	3.10.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The security vulnerability exists in the io.micronaut.json.bind.JsonBeanPropertyBinder class, specifically within the expandArrayToThreshold method. The patch applied in commit 1afe509677c51b320041b7a2c177366d4a4deb55 directly addresses the flaw in this method. The vulnerability is triggered when the application receives a form-urlencoded request where array-based parameters are sent with descending indices. For instance, sending authors[1].name before authors[0].name. The original code in expandArrayToThreshold used a while loop with the condition arrayNode.values.size() != arrayIndex + 1. When the binder processes authors[1].name, it expands the internal array to size 2. Subsequently, when it processes authors[0].name, the arrayIndex is 0, and the loop condition becomes 2 != 1, which is true. The loop body then proceeds to add more elements to the array, making its size grow indefinitely (3, 4, 5, ...), ensuring the condition != 1 is never met. This results in an infinite loop, causing 100% CPU utilization and an OutOfMemoryError, leading to a denial of service. The fix replaces the != operator with <, so the loop condition becomes arrayNode.values.size() < arrayIndex + 1. This ensures that the loop only runs if the array needs to be expanded and terminates correctly if the array is already large enough, thus mitigating the vulnerability. Therefore, the function io.micronaut.json.bind.JsonBeanPropertyBinder.expandArrayToThreshold is the precise location of the vulnerability and would be a key indicator in a runtime profile during an exploit.

Vulnerable functions

io.micronaut.json.bind.JsonBeanPropertyBinder.expandArrayToThreshold

json-core/src/main/java/io/micronaut/json/bind/JsonBeanPropertyBinder.java

The vulnerability is caused by an infinite loop in the `expandArrayToThreshold` method. When processing form-urlencoded data with descending array indices (e.g., `authors[1].name` followed by `authors[0].name`), the `while` loop condition `arrayNode.values.size() != arrayIndex + 1` is always true because the size of `arrayNode.values` will be greater than `arrayIndex + 1` and will keep increasing. This leads to a denial of service.

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.