CVE-2026-33013 - High Severity Vulnerability
Vulnerable Library - micronaut-json-core-3.4.3.jar
Natively Cloud Native
Library home page: http://micronaut.io
Path to dependency file: /openapi-client/java-micronaut-client/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.micronaut/micronaut-json-core/3.4.3/d7b414f1de2fd5dc123847444ddbd583628dba20/micronaut-json-core-3.4.3.jar
Dependency Hierarchy:
- micronaut-bom-3.4.3.pom (Root Library)
- ❌ micronaut-json-core-3.4.3.jar (Vulnerable Library)
Found in HEAD commit: 0879348474e22463e77dc76ba5e5f7e6300a2b6c
Found in base branch: master
Vulnerability Details
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
Publish Date: 2026-03-20
URL: CVE-2026-33013
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-43w5-mmxv-cpvh
Release Date: 2026-03-18
Fix Resolution: io.micronaut:micronaut-json-core:3.8.13,io.micronaut:micronaut-json-core:3.10.5,https://github.com/micronaut-projects/micronaut-core.git - v4.10.16,https://github.com/micronaut-projects/micronaut-core.git - v3.10.5,https://github.com/micronaut-projects/micronaut-core.git - v3.8.13
Step up your Open Source Security Game with Mend here
CVE-2026-33013 - High Severity Vulnerability
Natively Cloud Native
Library home page: http://micronaut.io
Path to dependency file: /openapi-client/java-micronaut-client/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/io.micronaut/micronaut-json-core/3.4.3/d7b414f1de2fd5dc123847444ddbd583628dba20/micronaut-json-core-3.4.3.jar
Dependency Hierarchy:
Found in HEAD commit: 0879348474e22463e77dc76ba5e5f7e6300a2b6c
Found in base branch: master
Micronaut Framework is a JVM-based full stack Java framework designed for building modular, easily testable JVM applications. Versions prior to both 4.10.16 and 3.10.5 do not correctly handle descending array index order during form-urlencoded body binding in theJsonBeanPropertyBinder::expandArrayToThreshold, which allows remote attackers to cause a DoS (non-terminating loop, CPU exhaustion, and OutOfMemoryError) via crafted indexed form parameters (e.g., authors[1].name followed by authors[0].name). This issue has been fixed in versions 4.10.16 and 3.10.5.
Publish Date: 2026-03-20
URL: CVE-2026-33013
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: GHSA-43w5-mmxv-cpvh
Release Date: 2026-03-18
Fix Resolution: io.micronaut:micronaut-json-core:3.8.13,io.micronaut:micronaut-json-core:3.10.5,https://github.com/micronaut-projects/micronaut-core.git - v4.10.16,https://github.com/micronaut-projects/micronaut-core.git - v3.10.5,https://github.com/micronaut-projects/micronaut-core.git - v3.8.13
Step up your Open Source Security Game with Mend here