Micronaut Framework Denial-of-Service Vulnerability via Crafted Form-Urlencoded Payload

A denial-of-service vulnerability has been identified in Micronaut Framework versions prior to 4.10.16 and 3.10.5. The issue arises in the JsonBeanPropertyBinder component, which improperly manages array index order during form-url-encoded body binding. This flaw allows remote attackers to create a non-terminating loop that exhausts CPU resources and leads to an OutOfMemoryError. The vulnerability can be exploited by sending crafted indexed form parameters with descending order, such as 'authors[1].name' followed by 'authors[0].name'.

Impact

Exploitation of this vulnerability causes sustained CPU usage and unbounded memory growth, eventually leading to an OutOfMemoryError.

Reproduction

The vulnerability can be reproduced by sending a POST request to an endpoint that accepts form-url-encoded data. The request must include indexed parameters with descending order, such as 'authors[1].name' followed by 'authors[0].name'. This can be done using a tool like curl, which allows for the manipulation of form data in the desired order.

Remediation

Users are advised to upgrade to Micronaut Framework versions 4.10.16 or 3.10.5, where this vulnerability has been patched.