Listen to this Post
The vulnerability exists in `ResourceBundleMessageSource` which uses an unbounded `bundleCache` (a ConcurrentHashMap). The cache key is (Locale, baseName), where `Locale` is derived from the HTTP `Accept-Language` header. When a Micronaut application explicitly registers a `ResourceBundleMessageSource` bean and returns HTML error responses (e.g., 404), an unauthenticated attacker can send many requests with unique `Accept-Language` values. Each new locale causes `resolveBundle()` to insert an entry into `bundleCache` without any eviction or size limit. Unlike the bounded `messageCache` (100 entries), `bundleCache` grows indefinitely. For locales that do not match any bundle file, a cheap `Optional.empty()` is stored; for matching locales, a full `ResourceBundle` object is retained. The map overhead per entry is ~100-200 bytes, and sustained requests exhaust heap memory. The attack path is triggered by `DefaultHtmlErrorResponseBodyProvider.error()` calling `messageSource.getMessage()` → `CompositeMessageSource` → ResourceBundleMessageSource.resolveBundle(). The provided PoC floods with `curl` requests containing unique `Accept-Language: zz-XXXX` headers to a nonexistent path, creating 100,000+ cache entries. The fix replaces `buildBundleCache()` to return a bounded `ConcurrentLinkedHashMap` with max capacity 50.
dailycve form
Platform: Micronaut
Version: All prior to fix (no CVE assigned)
Vulnerability: Unbounded cache exhaustion
Severity: Medium
date: 2025-05-06
Prediction: Estimated patch 2025-06-15
What Undercover Say:
Detect unbounded cache by monitoring heap growth
jcmd <pid> GC.heap_info
Simulate attack with unique Accept-Language
for i in {1..100000}; do curl -s -H "Accept-Language: zz-$i" http://target/404; done
Check cache size (requires JMX or debug)
curl -X POST http://localhost:8080/metrics -d '{"name":"micronaut.i18n.cache.size"}'
Exploit:
Attacker sends HTTP requests with `Accept: text/html` and unique `Accept-Language` values to any error-triggering endpoint (e.g., /invalid). Each unique locale creates a `bundleCache` entry. Over time, heap fills with `MessageKey` objects and `ResourceBundle` instances, causing `OutOfMemoryError` and denial of service.
Protection from this CVE:
- Upgrade to patched Micronaut version (once available) where `buildBundleCache()` uses bounded cache.
- Apply workaround: override `ResourceBundleMessageSource` bean to implement a bounded cache manually.
- Rate-limit requests with excessive unique `Accept-Language` headers.
- Disable HTML error responses or use a different `MessageSource` implementation.
Impact:
Partial availability loss (A:L). Attack requires no authentication, only ability to send HTTP requests. Sustained attack exhausts heap memory, crashing the JVM or making the application unresponsive. Resource-constrained deployments are more severely affected.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
