CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-387M-935M-C4VW

GHSA-387m-935m-c4vw: Unbounded HTTP Redirections Enable Infinite Loop Denial of Service in Micronaut HTTP Client

Amit Schendel
Amit Schendel
Senior Security Researcher

Jul 9, 2026·6 min read·1 visit

Executive Summary (TL;DR)

A missing ceiling on HTTP redirections in Micronaut's Netty HTTP Client allows a remote server to trap the client in an infinite loop, causing severe Denial of Service through thread and resource starvation.

The Netty-based HTTP Client in the Micronaut framework fails to enforce a maximum redirect ceiling by default when processing HTTP responses. This permits remote, attacker-controlled servers to trigger continuous, infinite redirect loops. The resulting recursion causes high CPU utilization, thread starvation, and potential memory exhaustion, inducing a Denial of Service (DoS) state in client-side applications.

Vulnerability Overview

The Micronaut HTTP Client is an asynchronous, reactive HTTP client built on top of the Netty event-driven network application framework. It is a core module in the Micronaut ecosystem, facilitating asynchronous service-to-service communication, metadata fetching, and API aggregation. By default, the client is configured to automatically follow HTTP 3xx redirection responses.

This vulnerability stems from a lack of state tracking in the client's redirection logic. Prior to the fix, the client parsed incoming Location headers and recursively initiated subsequent connections without keeping track of the total redirection depth. If a destination target resolves to a looping sequence, the client follows the route indefinitely.

Because the HTTP Client handles asynchronous, reactive streams via underlying Netty EventLoop groups, entering an endless redirect loop exhausts critical system resources. This attack surface is exposed whenever a Micronaut client fetches data from an endpoint controlled or influenced by an untrusted party, leading directly to a complete Denial of Service on the host application.

Root Cause Analysis

The root cause of GHSA-387m-935m-c4vw lies in the redirection resolution path of DefaultHttpClient and NettyHttpClient. When automatic redirect tracking is active (followRedirects = true), receiving an HTTP 3xx status code triggers the extraction of the target URI from the Location response header. The state machine then builds a secondary client request and subscribes to its response flow.

In vulnerable versions, the state machine did not keep any execution-context tracking or counter variables across these consecutive request hops. There was no boundary condition checking the accumulation of redirects. Consequently, when a loop occurs, the reactive pipeline continues to allocate execution frames, schedule channel operations, and spawn TCP sockets indefinitely.

This continuous execution sequence causes three distinct failure modes on the client host. First, the system experiences CPU exhaustion as the CPU cores dedicated to Netty's reactive event loops are driven to full capacity processing HTTP frames. Second, ephemeral port allocations and file descriptors are quickly consumed by active, unclosed connections. Lastly, the creation of sequential connection contexts and reactive stream subscribers puts high pressure on the JVM garbage collector, occasionally causing OutOfMemoryError states under concurrent conditions.

Code-Level Patch Analysis

The vulnerability was mitigated across the Micronaut 3, 4, and 5 branches by adding a state-tracking attribute to the request lifecycle. The implementation adds a configuration property DEFAULT_MAX_REDIRECTS set to five, which represents the default ceiling for redirection paths. This value is configurable via the micronaut.http.client.max-redirects configuration namespace.

An attribute string micronaut.http.client.redirect-count was introduced to carry the current recursion level through the request execution context. During redirection, the client reads this value, verifies it against the configured threshold, increments it, and updates the subsequent request attributes.

Reviewing the official patch in the Netty client implementation demonstrates how this logic was integrated into the reactive flow:

// In DefaultHttpClient.java / NettyHttpClient.java
private static final String REDIRECT_COUNT = "micronaut.http.client.redirect-count";
 
// Redirection logic verification block:
int redirectCount = request.getAttribute(REDIRECT_COUNT, Integer.class).orElse(0) + 1;
if (redirectCount > configuration.getMaxRedirects()) {
    return ExecutionFlow.error(decorate(new HttpClientException("Maximum number of redirects exceeded at redirect count: " + redirectCount)));
}
redirectRequest.setAttribute(REDIRECT_COUNT, redirectCount);

If the integer counter exceeds the configured redirect ceiling, the execution flow is broken immediately by returning an HttpClientException wrapped in an error block. This immediately halts the reactive pipeline, preventing further network socket allocation and releasing event loop resources. The fix is considered structurally complete because it utilizes context-propagating request attributes, ensuring safety even in non-blocking, multi-threaded reactive execution paths.

Exploitation Methodology

Exploitation of GHSA-387m-935m-c4vw is straightforward and requires no prior credentials. The attack is feasible against any endpoint of a Micronaut application that accepts a user-defined URL and uses the default HTTP Client configuration to retrieve content from that URL. Common examples include metadata extractors, web scrapers, proxy components, and webhook handlers.

An attacker begins by deploying an HTTP server on a public domain. This malicious server is configured to return redirect headers pointing recursively to itself or another loop location. For instance, the server returns a 302 Found response with a Location: /loop header, where /loop subsequently redirects back to /loop.

When the victim Micronaut application processes the initial URL, it queries the attacker's server, parses the Location header, and automatically schedules another connection. Because there is no check on redirect depth, the client repeatedly generates requests. If an attacker submits several looping URLs concurrently, the client's entire pool of Netty execution threads is bound to the loop, causing the application to become unresponsive to legitimate client traffic.

Impact Assessment

The threat of this vulnerability is confined to availability, carrying a CVSS v3.1 base score of 7.5. Because the vulnerability only resides in the client execution flow, it does not allow for unauthorized access, data extraction, or remote privilege escalation. Confidentiality and Integrity are unaffected.

However, the availability impact is high. In systems running cloud microservice architectures, thread starvation inside one Micronaut application can quickly cascade. If the microservice hosts critical authentication middleware or acts as an API gateway, the resulting thread pool exhaustion can take down dependent systems.

Because the flaw consumes resources directly proportional to concurrent loops, it acts as an effective, low-complexity vector for Distributed Denial of Service (DDoS) amplification. An attacker only needs to send a single request containing a looping URL to initiate a long-lived resource exhaustion process on the victim application.

Remediation and Defense-in-Depth

To fully remediate the issue, users must upgrade their Micronaut framework or HTTP Client dependencies to a patched version. For applications running on Micronaut 3, update to version 3.10.7 or higher. For Micronaut 4 applications, migrate to version 4.10.24 or higher, and for Micronaut 5 applications, update to version 5.0.1 or higher.

In circumstances where library upgrades cannot be immediately applied, developers can mitigate the risk by modifying the application's configuration file (application.yml). Setting the automatic redirection property to false prevents the client from following any redirects:

micronaut:
  http:
    client:
      follow-redirects: false

If automatic redirects are disabled, applications that require redirection support must implement manual location checking. By reading the Location header programmatically, the application can validate the target domain, verify that the URI matches a strict whitelist, and discard requests that exhibit cyclic behavior. Egress network filtering should also be applied to prevent microservices from communicating with untrusted external destinations.

Official Patches

MicronautFix for Micronaut 3 branch
MicronautFix for Micronaut 4 branch
MicronautFix for Micronaut 5 branch

Fix Analysis (3)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Systems

io.micronaut:micronaut-http-clientMicronaut Framework HTTP ClientNetty-based Micronaut HTTP Client

Affected Versions Detail

Product
Affected Versions
Fixed Version
micronaut-http-client
Micronaut
< 3.10.73.10.7
micronaut-http-client
Micronaut
>= 4.0.0-M1, < 4.10.244.10.24
micronaut-http-client
Micronaut
>= 5.0.0-M1, < 5.0.15.0.1
AttributeDetail
CWE IDCWE-835
Attack VectorNetwork
CVSS v3.17.5
ImpactDenial of Service (Availability: High)
Exploit StatusPoC Available
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1498Network Denial of Service
Impact
T1190Exploit Public-Facing Application
Initial Access
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')

The program contains an iteration or loop with an exit condition that cannot be reached or is not met, causing the program to loop indefinitely.

Known Exploits & Detection

GitHub Security AdvisoryThe advisory contains reproduction tests in Spock (RedirectLoopSpec.groovy) and JUnit verification parameters confirming the infinite looping behavior.

Vulnerability Timeline

Vulnerability analyzed and GHSA-387m-935m-c4vw advisory published.
2026-07-09
Official patch releases (3.10.7, 4.10.24, and 5.0.1) deployed and verified.
2026-07-09

References & Sources

  • [1]GitHub Advisory Database Entry
  • [2]Micronaut Core GitHub Advisory
  • [3]Micronaut Core Repository Source

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 1 hour ago•GHSA-Q6GH-6V2R-HJV3
8.8

GHSA-Q6GH-6V2R-HJV3: Cross-Origin Credential Leakage in Micronaut HTTP Client

An information disclosure vulnerability exists in the Micronaut Framework's HTTP client components. The client fails to clear sensitive authorization headers and cookies when following redirects across different origins. If an application using the vulnerable client communicates with an endpoint that issues a redirect to an external host, the client will forward the original credentials, leading to potential token theft and session hijacking.

Amit Schendel
Amit Schendel
3 views•6 min read
•about 2 hours ago•GHSA-52VM-MXX8-F227
7.7

GHSA-52vm-mxx8-f227: Arbitrary File Write and Decompression Denial of Service in phantom-audio

GHSA-52vm-mxx8-f227 is a dual-vector security flaw in phantom-audio (<= 1.3.0). The vulnerability allows arbitrary file writes due to unconfined Model Context Protocol (MCP) tool paths when the PHANTOM_OUTPUT_DIR environment variable is not defined. Concurrently, the platform lacks validation controls during the decompression of highly compressed audio files, resulting in resource-exhaustion denial of service and downstream parsing vulnerability exposure.

Amit Schendel
Amit Schendel
4 views•5 min read
•about 2 hours ago•GHSA-C43V-4CR8-6MVP
6.5

GHSA-C43V-4CR8-6MVP: Authenticated Path Traversal in Craft CMS Asset Icon Helper

An authenticated path traversal and arbitrary local file read vulnerability exists in Craft CMS versions 4.x up to 4.17.6 within the assets/icon endpoint and Assets helper classes. By exploiting this vulnerability, an authenticated user can traverse directories and read arbitrary .svg files on the server's filesystem, or execute Stored Cross-Site Scripting (XSS) if they can upload a malicious SVG.

Alon Barad
Alon Barad
3 views•8 min read
•about 3 hours ago•GHSA-86VW-X4WW-X467
8.6

CVE-2026-56382: Remote Code Execution in Craft CMS via Yii2 Event Handler Injection

CVE-2026-56382 is a high-severity remote code execution vulnerability in Craft CMS versions 5.5.0 through 5.9.13. The vulnerability exists within the FieldsController::actionRenderCardPreview() method due to a lack of sanitization of the user-supplied fieldLayoutConfig configuration array, permitting authenticated administrators to register arbitrary PHP callbacks using Yii2 event handler injection mechanisms. This issue has been fully remediated in version 5.9.14.

Amit Schendel
Amit Schendel
4 views•6 min read
•about 4 hours ago•GHSA-382C-VX95-W3P5
6.5

GHSA-382C-VX95-W3P5: Missing Access Control on Profile Endpoint and MCP Tool in Gittensory

An insecure direct object reference (IDOR) and missing authorization validation check in the Gittensory REST API and Model Context Protocol (MCP) server allowed authenticated users to query arbitrary miner profiles, exposing sensitive cryptographic hotkeys and daily financial/economic yields.

Alon Barad
Alon Barad
5 views•6 min read
•about 20 hours ago•CVE-2026-53634
4.3

CVE-2026-53634: Missing Authorization in Code16 Sharp Quick Creation Command Controller

Code16 Sharp versions from 9.0.0 up to (but not including) 9.22.3 are vulnerable to a missing authorization flaw in the Quick Creation Command feature. The ApiEntityListQuickCreationCommandController fails to validate entity-level 'create' policies before returning administrative form designs or processing database modifications. Authenticated users with restricted access can bypass policy boundaries to access creation configurations and insert records.

Alon Barad
Alon Barad
6 views•5 min read