Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1072805?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1072805?format=api", "purl": "pkg:maven/io.micronaut/micronaut-context@4.8.6", "type": "maven", "namespace": "io.micronaut", "name": "micronaut-context", "version": "4.8.6", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "4.10.22", "latest_non_vulnerable_version": "4.10.22", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/95369?format=api", "vulnerability_id": "VCID-v5j9-zwec-q3eq", "summary": "Micronaut has unbounded `formattersCache` in `TimeConverterRegistrar` that Allows Memory Exhaustion via `Accept-Language` Header\n## Summary\n\n`TimeConverterRegistrar` caches `DateTimeFormatter` instances in an unbounded `ConcurrentHashMap<String, DateTimeFormatter>` whose key is derived from the `@Format` annotation pattern concatenated with the locale from the HTTP `Accept-Language` header. Because `Locale.forLanguageTag()` accepts arbitrary BCP 47 private-use extensions (`en-x-a001`, `en-x-a002`, …), an unauthenticated attacker can generate an unlimited number of unique cache keys by sending requests with novel locale tags, growing the cache until heap memory is exhausted and the JVM crashes. This is structurally identical to the recently patched GHSA-2hcp-gjrf-7fhc (`DefaultHtmlErrorResponseBodyProvider`), but `TimeConverterRegistrar.formattersCache` was not covered by that fix.\n\n## Details\n\nThe vulnerable cache is declared in `context/src/main/java/io/micronaut/runtime/converters/time/TimeConverterRegistrar.java` at line 123:\n\n```java\n// TimeConverterRegistrar.java:123\nprivate final Map<String, DateTimeFormatter> formattersCache = new ConcurrentHashMap<>();\n```\n\nThe `getFormatter` method at line 434 inserts into this map with no eviction or size limit:\n\n```java\n// TimeConverterRegistrar.java:434-443\nprivate DateTimeFormatter getFormatter(String pattern, ConversionContext context) {\n var key = pattern + context.getLocale(); // locale from Accept-Language header\n var cachedFormatter = formattersCache.get(key);\n if (cachedFormatter != null) {\n return cachedFormatter;\n }\n var formatter = DateTimeFormatter.ofPattern(pattern, context.getLocale());\n formattersCache.put(key, formatter); // NO SIZE CHECK — unbounded growth\n return formatter;\n}\n```\n\nThe attacker-controlled locale flows into the cache key through this call chain:\n\n1. **HTTP header parsed** — `HttpHeaders.findAcceptLanguage()` at `http/src/main/java/io/micronaut/http/HttpHeaders.java:766-771` calls `Locale.forLanguageTag(part)` directly on the raw `Accept-Language` value:\n\n```java\n// HttpHeaders.java:766-771\ndefault Optional<Locale> findAcceptLanguage() {\n return findFirst(HttpHeaders.ACCEPT_LANGUAGE)\n .map(text -> {\n String part = HttpHeadersUtil.splitAcceptHeader(text);\n return part == null ? Locale.getDefault() : Locale.forLanguageTag(part);\n });\n}\n```\n\n2. **Locale planted in ConversionContext** — `AbstractRouteMatch.newContext()` at `router/src/main/java/io/micronaut/web/router/AbstractRouteMatch.java:373-378` passes the request locale into the conversion context for every route argument binding:\n\n```java\n// AbstractRouteMatch.java:373-378\nprivate <E> ArgumentConversionContext<E> newContext(Argument<E> argument, HttpRequest<?> request) {\n return ConversionContext.of(\n argument,\n request.getLocale().orElse(null), // ← attacker-controlled via Accept-Language\n request.getCharacterEncoding()\n );\n}\n```\n\n3. **Unbounded cache insert** — When any temporal argument annotated with `@Format` is bound, `TimeConverterRegistrar.getFormatter(pattern, context)` is called and inserts a new `DateTimeFormatter` for each unique `pattern + locale` key.\n\nThis path is triggered for any route endpoint with a `@Format`-annotated temporal parameter. This is an officially documented and commonly used Micronaut pattern, demonstrated in the framework's own test suite:\n\n```java\n// test-suite/.../BindingController.java:105 (official Micronaut example)\n@Get(\"/dateFormat\")\npublic String dateFormat(@Format(\"dd/MM/yyyy hh:mm:ss a z\") @Header ZonedDateTime date) {\n return date.toString();\n}\n```\n\n`TimeConverterRegistrar` is an `@Internal` core bean registered unconditionally in every Micronaut application — it is not optional or user-configured. By contrast, the `DefaultHtmlErrorResponseBodyProvider` cache patched in GHSA-2hcp-gjrf-7fhc now uses a `ConcurrentLinkedHashMap` bounded at 100 entries; `TimeConverterRegistrar.formattersCache` remains an unbounded plain `ConcurrentHashMap`.\n\n## PoC\n\nAgainst any Micronaut application exposing an endpoint with a `@Format`-annotated temporal parameter:\n\n```bash\n# Flood the formattersCache with unique locale-derived keys\nfor i in $(seq 1 200000); do\n curl -s -o /dev/null \\\n -H \"Accept-Language: en-x-$(printf '%06d' $i)\" \\\n -H \"date: 01/01/2024 12:00:00 AM UTC\" \\\n \"http://localhost:8080/dateFormat\" &\n # Throttle to avoid socket exhaustion\n [ $((i % 500)) -eq 0 ] && wait\ndone\nwait\n# Server will throw OutOfMemoryError after enough unique locale entries accumulate\n```\n\nEach request with a novel `en-x-XXXXXX` private-use tag inserts a new `DateTimeFormatter` entry into the unbounded map. Each `DateTimeFormatter` (with locale metadata) occupies roughly 2–10 KB on the heap. At 100,000 unique entries, the map alone can consume ~500 MB; at 500,000 entries the JVM typically crashes with `OutOfMemoryError: Java heap space`.\n\n## Impact\n\n- An unauthenticated attacker can crash any Micronaut server that exposes at least one endpoint with a `@Format`-annotated temporal type parameter — a documented, first-class framework feature.\n- Memory grows linearly with the number of unique `Accept-Language` values sent. The BCP 47 private-use namespace (`en-x-ANYTHING`) provides millions of distinct valid locale strings.\n- No credentials, special permissions, or exploitation of application logic are required — only the ability to send HTTP requests with custom headers.\n- `TimeConverterRegistrar` is active in all Micronaut HTTP server applications by default; no special configuration is needed to be vulnerable.\n\n## Recommended Fix\n\nApply the same fix pattern used for GHSA-2hcp-gjrf-7fhc: replace the unbounded `ConcurrentHashMap` with a bounded `ConcurrentLinkedHashMap`:\n\n```java\n// In TimeConverterRegistrar.java — replace line 123\nimport io.micronaut.core.util.clhm.ConcurrentLinkedHashMap;\n\nprivate static final int MAX_FORMATTERS_CACHE_SIZE = 100;\n\nprivate final Map<String, DateTimeFormatter> formattersCache =\n new ConcurrentLinkedHashMap.Builder<String, DateTimeFormatter>()\n .maximumWeightedCapacity(MAX_FORMATTERS_CACHE_SIZE)\n .build();\n```\n\nAlternatively, since `@Format` pattern values come from static annotations (a bounded, compile-time set), the locale should be excluded from the cache key and applied at use-time instead:\n\n```java\n// In getFormatter() — cache only by pattern, apply locale at use-time\nprivate DateTimeFormatter getFormatter(String pattern, ConversionContext context) {\n DateTimeFormatter base = formattersCache.computeIfAbsent(\n pattern, p -> DateTimeFormatter.ofPattern(p)\n );\n Locale locale = context.getLocale();\n return locale != null ? base.withLocale(locale) : base;\n}\n```\n\nThis second approach bounds the cache by the number of distinct `@Format` patterns in the application, which is always small and finite, fully eliminating the attack surface.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44241", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05018", "published_at": "2026-06-08T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05057", "published_at": "2026-06-07T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05066", "published_at": "2026-06-06T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05059", "published_at": "2026-06-09T12:55:00Z" }, { "value": "0.00018", "scoring_system": "epss", "scoring_elements": "0.05082", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-44241" }, { "reference_url": "https://github.com/micronaut-projects/micronaut-core", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/micronaut-projects/micronaut-core" }, { "reference_url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.22", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T15:29:50Z/" } ], "url": "https://github.com/micronaut-projects/micronaut-core/releases/tag/v4.10.22" }, { "reference_url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-8hjv-92q9-g4xj", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2026-05-13T15:29:50Z/" } ], "url": "https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-8hjv-92q9-g4xj" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44241", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44241" }, { "reference_url": "https://github.com/advisories/GHSA-8hjv-92q9-g4xj", "reference_id": "GHSA-8hjv-92q9-g4xj", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8hjv-92q9-g4xj" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/119403?format=api", "purl": "pkg:maven/io.micronaut/micronaut-context@4.10.22", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/io.micronaut/micronaut-context@4.10.22" } ], "aliases": [ "CVE-2026-44241", "GHSA-8hjv-92q9-g4xj" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-v5j9-zwec-q3eq" } ], "fixing_vulnerabilities": [], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:maven/io.micronaut/micronaut-context@4.8.6" }