CVE-2026-33013 is a vulnerability in the Micronaut Framework's core library (micronaut-core) affecting versions >=4.0.0-M1 and <4.10.16, and all versions below 3.10.5. The root cause is a logic flaw in theJsonBeanPropertyBinder::expandArrayToThreshold method, which incorrectly handles descending array index orders during the binding of form-urlencoded request bodies. Specifically, when processing indexed form parameters such as authors[1].name followed by authors[0].name, the method enters a non-terminating loop due to an unreachable exit condition. This infinite loop causes excessive CPU consumption and eventually triggers an OutOfMemoryError, resulting in a denial of service (DoS) condition. The vulnerability is remotely exploitable without authentication or user interaction, making it a critical availability risk for any JVM applications using the affected Micronaut versions. The flaw is categorized under CWE-835 (Loop with Unreachable Exit Condition). Although no known exploits are currently reported in the wild, the vulnerability's nature and high CVSS score (8.2) indicate a strong potential for exploitation. The issue has been addressed in Micronaut versions 4.10.16 and 3.10.5, where the array index handling logic was corrected to prevent infinite looping. This vulnerability primarily impacts backend services and APIs that rely on Micronaut for HTTP request processing and data binding, especially those accepting form-urlencoded data with complex array parameters.

The primary impact of CVE-2026-33013 is denial of service due to infinite looping and resource exhaustion. Exploitation can cause affected Micronaut-based applications to consume excessive CPU and memory resources, leading to application crashes or unresponsiveness. This disrupts service availability, potentially affecting business operations, customer experience, and critical backend processes. Since the vulnerability is remotely exploitable without authentication or user interaction, attackers can launch DoS attacks at scale, targeting public-facing APIs or services. Organizations relying on Micronaut for microservices, web applications, or APIs are at risk of service outages. The impact extends to cloud environments, containerized deployments, and enterprise JVM applications using vulnerable Micronaut versions. While confidentiality and integrity are not directly affected, the availability impact can have cascading effects on dependent systems and services. The lack of known exploits in the wild currently limits immediate risk, but the ease of exploitation and high severity score warrant urgent remediation to prevent future attacks.

1. Upgrade all affected Micronaut Framework instances to version 4.10.16 or later, or 3.10.5 or later, where the vulnerability is fixed. 2. Implement input validation to detect and reject malformed or suspicious indexed form parameters that could trigger the infinite loop. 3. Apply rate limiting and request throttling on endpoints accepting form-urlencoded data to reduce the risk of resource exhaustion from repeated exploit attempts. 4. Monitor application logs and performance metrics for unusual CPU or memory usage spikes indicative of attempted exploitation. 5. Use Web Application Firewalls (WAFs) with custom rules to block or alert on suspicious form parameter patterns resembling the exploit vector. 6. Conduct code reviews and testing for similar array index handling issues in custom data binding logic. 7. Employ runtime application self-protection (RASP) tools to detect and mitigate infinite loop conditions dynamically. 8. Ensure robust incident response plans are in place to quickly isolate and remediate affected services if exploitation is detected. These measures combined will reduce the attack surface and mitigate the risk of denial of service caused by this vulnerability.