CVE-2022-21700: CWE-400: Uncontrolled Resource Consumption in micronaut-projects micronaut-core
Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language. In affected versions sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state. ### Impact Sending an invalid Content Type header leads to memory leak in `DefaultArgumentConversionContext` as this type is erroneously used in static state. ### Patches The problem is patched in Micronaut 3.2.7 and above. ### Workarounds The default content type binder can be replaced in an existing Micronaut application to mitigate the issue: ```java package example; import java.util.List; import io.micronaut.context.annotation.Replaces; import io.micronaut.core.convert.ConversionService; import io.micronaut.http.MediaType; import io.micronaut.http.bind.DefaultRequestBinderRegistry; import io.micronaut.http.bind.binders.RequestArgumentBinder; import jakarta.inject.Singleton; @Singleton @Replaces(DefaultRequestBinderRegistry.class) class FixedRequestBinderRegistry extends DefaultRequestBinderRegistry { public FixedRequestBinderRegistry(ConversionService conversionService, List<RequestArgumentBinder> binders) { super(conversionService, binders); } @Override protected void registerDefaultConverters(ConversionService<?> conversionService) { super.registerDefaultConverters(conversionService); conversionService.addConverter(CharSequence.class, MediaType.class, charSequence -> { try { return MediaType.of(charSequence); } catch (IllegalArgumentException e) { return null; } }); } } ``` ### References Commit that introduced the vulnerability https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Micronaut Core](https://github.com/micronaut-projects/micronaut-core/issues) * Email us at [info@micronaut.io](mailto:info@micronaut.io)
AI Analysis
Technical Summary
CVE-2022-21700 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Micronaut Core framework, a JVM-based full-stack Java framework widely used for building web applications in Java, Kotlin, and Groovy. The vulnerability arises from improper handling of the Content-Type HTTP header in affected versions of Micronaut Core prior to 3.2.7. Specifically, when an invalid Content-Type header is sent in a request, the framework's DefaultArgumentConversionContext erroneously stores this invalid type in a static state, leading to a memory leak. This uncontrolled memory consumption can degrade application performance and potentially cause denial of service (DoS) conditions due to resource exhaustion. The root cause is the static retention of invalid Content-Type objects, which accumulate over time as malformed requests are processed. The issue was introduced in a recent commit and has been addressed in Micronaut Core version 3.2.7 and later. A workaround is available that involves replacing the default content type binder with a custom implementation that safely handles invalid Content-Type headers by returning null instead of storing invalid values, thereby preventing the memory leak. This workaround requires modifying the application code to override the DefaultRequestBinderRegistry with a safer converter for MediaType. No known exploits are reported in the wild, but the vulnerability poses a risk in environments where untrusted or malformed HTTP requests can be sent to Micronaut-based services. Given the framework's use in JVM web applications, this vulnerability can affect a broad range of enterprise and cloud-native applications that rely on Micronaut for HTTP request processing.
Potential Impact
For European organizations, the impact of CVE-2022-21700 can be significant, especially for those deploying web applications or microservices using vulnerable versions of Micronaut Core. The memory leak caused by malformed Content-Type headers can lead to gradual resource exhaustion, resulting in degraded application performance, increased latency, and potential service outages. This can disrupt business operations, customer-facing services, and internal applications. Organizations in sectors such as finance, healthcare, telecommunications, and public administration, which often deploy JVM-based applications at scale, may experience operational disruptions or increased costs due to the need for additional monitoring and mitigation efforts. Furthermore, if exploited in a targeted manner, attackers could induce denial of service conditions, impacting availability and potentially causing reputational damage. While the vulnerability does not directly lead to data breaches or code execution, the availability impact alone can be critical for high-availability services. The lack of authentication or user interaction requirements means that any external attacker capable of sending HTTP requests can trigger the memory leak, increasing the attack surface. Given the widespread adoption of Micronaut in cloud-native and microservice architectures, the scope of affected systems can be broad within European enterprises leveraging modern Java frameworks.
Mitigation Recommendations
To mitigate CVE-2022-21700, European organizations should prioritize upgrading all Micronaut Core dependencies to version 3.2.7 or later, where the vulnerability is patched. For applications where immediate upgrading is not feasible, implement the provided workaround by replacing the default content type binder with a custom binder that safely handles invalid Content-Type headers, as demonstrated in the advisory's sample Java code. This involves overriding the DefaultRequestBinderRegistry and adding a converter that returns null upon encountering invalid media types, preventing the memory leak. Additionally, organizations should implement strict input validation and filtering at the web application firewall (WAF) or API gateway level to block malformed or suspicious Content-Type headers before they reach the application. Monitoring application memory usage and setting up alerts for abnormal growth patterns can help detect exploitation attempts early. Incorporating rate limiting on incoming requests can reduce the risk of resource exhaustion attacks. Finally, conducting code reviews and dependency audits to identify and update vulnerable libraries across the software supply chain is recommended to prevent similar issues.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Italy, Spain
CVE-2022-21700: CWE-400: Uncontrolled Resource Consumption in micronaut-projects micronaut-core
Description
Micronaut is a JVM-based, full stack Java framework designed for building JVM web applications with support for Java, Kotlin and the Groovy language. In affected versions sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state. ### Impact Sending an invalid Content Type header leads to memory leak in `DefaultArgumentConversionContext` as this type is erroneously used in static state. ### Patches The problem is patched in Micronaut 3.2.7 and above. ### Workarounds The default content type binder can be replaced in an existing Micronaut application to mitigate the issue: ```java package example; import java.util.List; import io.micronaut.context.annotation.Replaces; import io.micronaut.core.convert.ConversionService; import io.micronaut.http.MediaType; import io.micronaut.http.bind.DefaultRequestBinderRegistry; import io.micronaut.http.bind.binders.RequestArgumentBinder; import jakarta.inject.Singleton; @Singleton @Replaces(DefaultRequestBinderRegistry.class) class FixedRequestBinderRegistry extends DefaultRequestBinderRegistry { public FixedRequestBinderRegistry(ConversionService conversionService, List<RequestArgumentBinder> binders) { super(conversionService, binders); } @Override protected void registerDefaultConverters(ConversionService<?> conversionService) { super.registerDefaultConverters(conversionService); conversionService.addConverter(CharSequence.class, MediaType.class, charSequence -> { try { return MediaType.of(charSequence); } catch (IllegalArgumentException e) { return null; } }); } } ``` ### References Commit that introduced the vulnerability https://github.com/micronaut-projects/micronaut-core/commit/b8ec32c311689667c69ae7d9f9c3b3a8abc96fe3 ### For more information If you have any questions or comments about this advisory: * Open an issue in [Micronaut Core](https://github.com/micronaut-projects/micronaut-core/issues) * Email us at [info@micronaut.io](mailto:info@micronaut.io)
AI-Powered Analysis
Technical Analysis
CVE-2022-21700 is a vulnerability classified under CWE-400 (Uncontrolled Resource Consumption) affecting the Micronaut Core framework, a JVM-based full-stack Java framework widely used for building web applications in Java, Kotlin, and Groovy. The vulnerability arises from improper handling of the Content-Type HTTP header in affected versions of Micronaut Core prior to 3.2.7. Specifically, when an invalid Content-Type header is sent in a request, the framework's DefaultArgumentConversionContext erroneously stores this invalid type in a static state, leading to a memory leak. This uncontrolled memory consumption can degrade application performance and potentially cause denial of service (DoS) conditions due to resource exhaustion. The root cause is the static retention of invalid Content-Type objects, which accumulate over time as malformed requests are processed. The issue was introduced in a recent commit and has been addressed in Micronaut Core version 3.2.7 and later. A workaround is available that involves replacing the default content type binder with a custom implementation that safely handles invalid Content-Type headers by returning null instead of storing invalid values, thereby preventing the memory leak. This workaround requires modifying the application code to override the DefaultRequestBinderRegistry with a safer converter for MediaType. No known exploits are reported in the wild, but the vulnerability poses a risk in environments where untrusted or malformed HTTP requests can be sent to Micronaut-based services. Given the framework's use in JVM web applications, this vulnerability can affect a broad range of enterprise and cloud-native applications that rely on Micronaut for HTTP request processing.
Potential Impact
For European organizations, the impact of CVE-2022-21700 can be significant, especially for those deploying web applications or microservices using vulnerable versions of Micronaut Core. The memory leak caused by malformed Content-Type headers can lead to gradual resource exhaustion, resulting in degraded application performance, increased latency, and potential service outages. This can disrupt business operations, customer-facing services, and internal applications. Organizations in sectors such as finance, healthcare, telecommunications, and public administration, which often deploy JVM-based applications at scale, may experience operational disruptions or increased costs due to the need for additional monitoring and mitigation efforts. Furthermore, if exploited in a targeted manner, attackers could induce denial of service conditions, impacting availability and potentially causing reputational damage. While the vulnerability does not directly lead to data breaches or code execution, the availability impact alone can be critical for high-availability services. The lack of authentication or user interaction requirements means that any external attacker capable of sending HTTP requests can trigger the memory leak, increasing the attack surface. Given the widespread adoption of Micronaut in cloud-native and microservice architectures, the scope of affected systems can be broad within European enterprises leveraging modern Java frameworks.
Mitigation Recommendations
To mitigate CVE-2022-21700, European organizations should prioritize upgrading all Micronaut Core dependencies to version 3.2.7 or later, where the vulnerability is patched. For applications where immediate upgrading is not feasible, implement the provided workaround by replacing the default content type binder with a custom binder that safely handles invalid Content-Type headers, as demonstrated in the advisory's sample Java code. This involves overriding the DefaultRequestBinderRegistry and adding a converter that returns null upon encountering invalid media types, preventing the memory leak. Additionally, organizations should implement strict input validation and filtering at the web application firewall (WAF) or API gateway level to block malformed or suspicious Content-Type headers before they reach the application. Monitoring application memory usage and setting up alerts for abnormal growth patterns can help detect exploitation attempts early. Incorporating rate limiting on incoming requests can reduce the risk of resource exhaustion attacks. Finally, conducting code reviews and dependency audits to identify and update vulnerable libraries across the software supply chain is recommended to prevent similar issues.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2021-11-16T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9842c4522896dcbf2330
Added to database: 5/21/2025, 9:09:22 AM
Last enriched: 6/23/2025, 6:03:42 PM
Last updated: 7/28/2025, 3:05:38 PM
Views: 11
Related Threats
CVE-2025-8927: Improper Restriction of Excessive Authentication Attempts in mtons mblog
MediumCVE-2025-43988: n/a
CriticalCVE-2025-8926: SQL Injection in SourceCodester COVID 19 Testing Management System
MediumCVE-2025-43986: n/a
CriticalCVE-2025-43982: n/a
CriticalActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.