Listen to this Post
The vulnerability resides in `TimeConverterRegistrar` which caches `DateTimeFormatter` instances in an unbounded ConcurrentHashMap. The cache key is a concatenation of a `@Format` annotation pattern and a locale derived from the HTTP `Accept-Language` header. `Locale.forLanguageTag()` accepts arbitrary BCP 47 private-use extensions (e.g., en-x-a001, en-x-a002). An unauthenticated attacker sends an unlimited number of unique locale tags, each generating a distinct cache key. The `getFormatter` method at line 434 inserts into the map with no eviction or size limit. The call chain begins with `HttpHeaders.findAcceptLanguage()` parsing the header, then `AbstractRouteMatch.newContext()` passes the attacker-controlled locale into the conversion context. Any route endpoint with a @Format-annotated temporal parameter triggers TimeConverterRegistrar.getFormatter(), inserting a new entry for each unique pattern+locale. `TimeConverterRegistrar` is an `@Internal` core bean present in every Micronaut application by default. Each `DateTimeFormatter` occupies ~2-10 KB heap. After ~100,000 unique entries memory consumption exceeds 500 MB; at ~500,000 entries the JVM crashes with OutOfMemoryError: Java heap space. The BCP 47 private-use namespace provides millions of distinct valid locale strings. This issue is structurally identical to the patched GHSA-2hcp-gjrf-7fhc but was not covered by that fix.
dailycve form: Platform: Micronaut framework Version: <=4.6.1 (affected) Vulnerability: Unbounded cache DoS Severity: Medium (6.5) date: 2024-10-22 Prediction: Patch expected 2024-10-24
What Undercode Say:
Generate unique Accept-Language headers to exhaust heap for i in $(seq 1 200000); do curl -s -o /dev/null -H "Accept-Language: en-x-$(printf '%06d' $i)" \ -H "date: 01/01/2024 12:00:00 AM UTC" \ "http://localhost:8080/dateFormat" & [ $((i % 500)) -eq 0 ] && wait done wait Monitor heap usage jmap -heap <pid> | grep -E "Used|Max"
Exploit:
Send HTTP requests with ever-changing `Accept-Language: en-x-ZonedDateTime, LocalDate). Each unique header forces a new `DateTimeFormatter` cache entry until OOM.
Protection from this CVE:
- Upgrade to Micronaut 4.6.2 or later (contains bounded cache fix).
- Replace `ConcurrentHashMap` with `ConcurrentLinkedHashMap` capped at 100 entries.
- Or cache only by pattern, apply locale at use-time:
formattersCache.computeIfAbsent(pattern, p -> DateTimeFormatter.ofPattern(p)).withLocale(locale). - Use a reverse proxy to limit rate of unique `Accept-Language` headers.
Impact:
- Unauthenticated remote DoS – attacker crashes the JVM.
- No special permissions required.
- Affects all Micronaut HTTP servers exposing a `@Format` temporal parameter.
- Linear memory growth per unique locale tag; millions of possible tags.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
