CVE-2026-33013
Published: 20 March 2026
Summary
CVE-2026-33013 is a high-severity Infinite Loop (CWE-835) vulnerability in Objectcomputing Micronaut. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 49.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the vulnerability by requiring identification, reporting, and timely patching of the infinite loop flaw in Micronaut Framework's form-urlencoded binding.
Provides system-wide protections against denial-of-service attacks, including resource exhaustion from crafted form parameters causing CPU and memory depletion.
Validates incoming form-urlencoded inputs to block malformed descending array indices that trigger the non-terminating loop in JsonBeanPropertyBinder.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE describes remote unauthenticated exploitation of a server-side input binding flaw (infinite loop on crafted form-urlencoded arrays) that directly causes CPU/memory exhaustion and service denial, matching Endpoint DoS via Application or System Exploitation.
NVD Description
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows…
more
remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
Deeper analysisAI
CVE-2026-33013 is a denial-of-service vulnerability in the Micronaut Framework, a JVM-based full stack Java framework for building modular, easily testable JVM applications. Versions prior to 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in the JsonBeanPropertyBinder::expandArrayToThreshold method. This flaw, mapped to CWE-835 (Loop with Unreachable Exit Condition) and scored 7.5 under CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), allows remote attackers to trigger resource exhaustion.
Attackers with network access can exploit this remotely without authentication or user interaction by submitting crafted indexed form parameters, such as authors[1].name followed by authors[0].name. These inputs cause a non-terminating loop in the binding process, resulting in CPU exhaustion and OutOfMemoryError, potentially disrupting service availability for affected applications.
Mitigation is available through upgrades to Micronaut Framework versions 4.10.16 or 3.10.5, where the issue has been fixed. Official details are provided in the GitHub security advisory (GHSA-43w5-mmxv-cpvh), the fixing commit (1afe509677c51b320041b7a2c177366d4a4deb55), pull request #12410, and release notes for tags v3.10.5 and v4.10.16.
Details
- CWE(s)