CVE-2026-33012 — Micronaut Framework vulnerable to a Denial of Service in HTML error response cac

Description

`DefaultHtmlErrorResponseBodyProvider` in `io.micronaut:micronaut-http-server` since `4.7.0` and until `4.10.7` used an unbounded `ConcurrentHashMap` cache with no eviction policy. If the application throws an exception whose message may be influenced by an attacker, for example, including request query value parameters, this could be used by remote attackers to cause a denial of service (unbounded heap growth and OutOfMemoryError). Fixed via: https://github.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3

How to fix CVE-2026-33012

To remediate CVE-2026-33012, upgrade the affected package to a fixed version below.

—upgrade to 4.10.17 or later

Is CVE-2026-33012 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.7.0, < 4.10.17

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-33012
PATCHgithub.com/micronaut-projects/micronaut-core
WEBgithub.com/micronaut-projects/micronaut-core/commit/1e2ba2c14386af3d47751732d02053a72b0b49b3
WEBgithub.com/micronaut-projects/micronaut-core/releases/tag/v4.10.17