Micronaut Framework ResourceBundleMessageSource Memory Exhaustion Vulnerability

A memory exhaustion vulnerability has been identified in the Micronaut Framework, specifically in versions prior to 4.10.22. The issue arises within the ResourceBundleMessageSource component, which manages localization resources for applications. The vulnerability allows an unauthenticated attacker to deplete heap memory by sending requests with numerous unique Accept-Language values. Each unique value creates a new entry in the unbounded bundleCache, leading to memory exhaustion. This issue primarily affects applications that explicitly register a ResourceBundleMessageSource bean and serve HTML error responses.

Impact

Exploitation of this vulnerability causes unbounded growth of the bundleCache, leading to significant heap memory consumption. Each unique Accept-Language value adds approximately 100-200 bytes to memory usage, with even higher costs if matching resource bundles are found. This gradual memory exhaustion can impact application availability, particularly in long-running services.

Reproduction

To reproduce this vulnerability, register a ResourceBundleMessageSource bean in a Micronaut application. Then, send HTTP requests to a URL that returns an HTML error response, such as a 404 error, while including unique Accept-Language values in the request headers. Each unique value will create a new entry in the unbounded bundleCache, allowing for heap memory exhaustion.

Remediation

The vulnerability has been fixed in Micronaut Framework version 4.10.22. Users should upgrade to this version.