The vulnerability CVE-2026-33012 affects the Micronaut Framework's core component, specifically versions from 4.7.0 up to but not including 4.10.17. The root cause is the use of an unbounded ConcurrentHashMap cache in the DefaultHtmlErrorResponseBodyProvider, which lacks any eviction or size limits. When an application built on these versions throws exceptions, the exception messages—potentially influenced by attacker-controlled input such as query parameters—are cached indefinitely. This unbounded caching leads to continuous heap memory consumption growth, eventually causing an OutOfMemoryError and crashing the application or severely degrading its availability. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling). Exploitation requires no privileges or user interaction and can be performed remotely by sending crafted requests that trigger exceptions with attacker-controlled messages. The vulnerability does not impact confidentiality or integrity but results in high availability impact due to denial of service. The issue was publicly disclosed on March 20, 2026, with a CVSS 3.1 base score of 7.5 (high severity). The fix involves updating to Micronaut version 4.10.17 or later, where the cache is either bounded or properly evicted to prevent unbounded memory growth.

This vulnerability can cause denial of service conditions in applications using affected Micronaut versions by exhausting heap memory through unbounded cache growth. Organizations relying on these versions for JVM-based microservices or web applications may experience application crashes or severe performance degradation, leading to service outages. This can disrupt business operations, degrade user experience, and potentially cause cascading failures in distributed systems. Since exploitation requires no authentication and can be triggered remotely, the attack surface is broad, increasing the risk of automated or targeted attacks. Although confidentiality and integrity are not directly impacted, the availability impact can be significant, especially for high-traffic or critical services. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly known and easily testable.

The primary mitigation is to upgrade all affected Micronaut Framework instances to version 4.10.17 or later, where the unbounded cache issue is resolved. Until upgrades can be applied, organizations should implement strict input validation and sanitization to limit attacker influence on exception messages, reducing the ability to trigger large cache entries. Monitoring JVM heap usage and setting memory limits or alerts can help detect abnormal memory growth early. Employing runtime protections such as application-layer firewalls or rate limiting can reduce the volume of malicious requests triggering exceptions. Additionally, configuring JVM options to limit heap size and enable garbage collection logging can assist in identifying and mitigating memory exhaustion events. Developers should review custom error handling to avoid caching untrusted data and consider implementing cache size limits or eviction policies in application code. Regularly auditing dependencies and applying security patches promptly is essential to prevent exploitation.