Micronaut Framework Unbounded Cache in TimeConverterRegistrar Allows Denial-of-Service

A denial-of-service vulnerability has been identified in the Micronaut Framework, specifically in versions 4.3.0 prior to 4.10.22. The issue arises in the TimeConverterRegistrar, which caches DateTimeFormatter instances in an unbounded ConcurrentHashMap. The keys for this cache are generated from the @Format annotation pattern combined with the locale derived from the HTTP Accept-Language header. Since Locale.forLanguageTag() allows arbitrary BCP 47 private-use extensions, an unauthenticated attacker can create an unlimited number of unique cache keys by sending requests with new locale tags. This leads to unbounded cache growth, exhausting heap memory and causing the JVM to crash.

Impact

Exploitation of this vulnerability allows an unauthenticated attacker to cause a Micronaut server to run out of memory and crash, but only if the server exposes an endpoint with a @Format-annotated temporal parameter.

Reproduction

To reproduce this vulnerability, send HTTP requests to a Micronaut application with a @Format-annotated temporal parameter. Include an Accept-Language header with novel BCP 47 private-use locale tags. Each unique tag will generate a new cache entry, gradually filling the memory until the server crashes. This can be automated with a script that sends multiple requests, throttled to avoid socket exhaustion.

Remediation

Users can upgrade to Micronaut Framework version 4.10.22 or later, where this vulnerability has been fixed.