Cyber Resilience

CVE-2026-33013

HighPublic PoCDDoS

Published: 20 March 2026

Published
20 March 2026
Modified
24 March 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0060 43.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33013 is a high-severity Infinite Loop (CWE-835) vulnerability in Objectcomputing Micronaut. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 43.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-33013 is a denial-of-service vulnerability in the Micronaut Framework, a JVM-based full stack Java framework for building modular, easily testable JVM applications. Versions prior to 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in the JsonBeanPropertyBinder::expandArrayToThreshold method. This flaw, mapped to CWE-835 (Loop with Unreachable Exit Condition) and scored 7.5 under CVSS 3.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), allows remote attackers to trigger resource exhaustion.

Attackers with network access can exploit this remotely without authentication or user interaction by submitting crafted indexed form parameters, such as authors[1].name followed by authors[0].name. These inputs cause a non-terminating loop in the binding process, resulting in CPU exhaustion and OutOfMemoryError, potentially disrupting service availability for affected applications.

Mitigation is available through upgrades to Micronaut Framework versions 4.10.16 or 3.10.5, where the issue has been fixed. Official details are provided in the GitHub security advisory (GHSA-43w5-mmxv-cpvh), the fixing commit (1afe509677c51b320041b7a2c177366d4a4deb55), pull request #12410, and release notes for tags v3.10.5 and v4.10.16.

EU & UK References

Vulnerability details

Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows…

more

remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE describes remote unauthenticated exploitation of a server-side input binding flaw (infinite loop on crafted form-urlencoded arrays) that directly causes CPU/memory exhaustion and service denial, matching Endpoint DoS via Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33012Same product: Objectcomputing Micronaut
CVE-2026-31448Shared CWE-835
CVE-2026-23451Shared CWE-835
CVE-2026-29975Shared CWE-835
CVE-2026-42899Shared CWE-835
CVE-2026-2219Shared CWE-835
CVE-2026-39806Shared CWE-835
CVE-2024-40675Shared CWE-835
CVE-2026-32287Shared CWE-835
CVE-2026-21507Shared CWE-835

Affected Assets

objectcomputing
micronaut
≤ 3.10.5 · 4.0.0 — 4.10.16

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the vulnerability by requiring identification, reporting, and timely patching of the infinite loop flaw in Micronaut Framework's form-urlencoded binding.

prevent

Provides system-wide protections against denial-of-service attacks, including resource exhaustion from crafted form parameters causing CPU and memory depletion.

prevent

Validates incoming form-urlencoded inputs to block malformed descending array indices that trigger the non-terminating loop in JsonBeanPropertyBinder.

References