DoS Flaws in Micronaut and Netty Let Remote Attackers Exhaust Server Resources
Two high-severity denial-of-service vulnerabilities were disclosed in widely used Java infrastructure components, allowing remote attackers to exhaust CPU and memory and disrupt application availability without authentication. In Micronaut, CVE-2026-33013 affects versions before 4.10.16 and 3.10.5 and is caused by improper handling of descending array indices during application/x-www-form-urlencoded body binding in JsonBeanPropertyBinder::expandArrayToThreshold. A crafted request using indexed parameters such as authors[1].name followed by authors[0].name can trigger a non-terminating loop, CPU exhaustion, and an OutOfMemoryError.
Netty separately patched CVE-2026-33871, a denial-of-service flaw in HTTP/2 processing that affects versions before 4.1.132.Final and 4.2.10.Final. The bug lets attackers flood servers with CONTINUATION frames because the framework did not enforce a limit on their number, and existing size-based protections could be bypassed with zero-byte frames. The result is excessive CPU consumption with minimal bandwidth, potentially leaving HTTP/2 services unresponsive. The issues are tracked as CWE-835 in Micronaut and CWE-770 in Netty, and both vendors released fixed versions for affected branches.
Timeline
Mar 27, 2026
Netty releases fixes for CVE-2026-33871
Netty fixed the HTTP/2 CONTINUATION frame flood vulnerability in versions 4.1.132.Final and 4.2.10.Final. The update closed the zero-byte frame bypass and addressed the lack of limits that enabled remote DoS.
Mar 27, 2026
Netty publishes CVE-2026-33871 for HTTP/2 CONTINUATION frame flood DoS
A new CVE was published for Netty describing a denial-of-service issue in HTTP/2 servers caused by unlimited CONTINUATION frames and a zero-byte frame bypass of size-based mitigations. The flaw affected versions prior to 4.1.132.Final and 4.2.10.Final and could drive high CPU usage with minimal bandwidth.
Mar 20, 2026
Micronaut fixes CVE-2026-33013 in supported release branches
Micronaut addressed CVE-2026-33013 in versions 4.10.16 and 3.10.5. The fix remediated incorrect handling in JsonBeanPropertyBinder::expandArrayToThreshold that allowed remote DoS via crafted indexed form parameters.
Mar 20, 2026
Micronaut receives report of form-binding DoS vulnerability
A denial-of-service flaw in Micronaut's form-urlencoded body binding was received by security-advisories@github.com. The bug involved descending array indices causing a non-terminating loop, CPU exhaustion, and possible OutOfMemoryError.
See the full picture in Mallory
Mallory subscribers get deeper analysis on every story, including:
Who’s affected and how
Deep-dive technical analysis
Actionable next steps for your team
IPs, domains, hashes, and more
Ask questions and take action on every story
Filter by topic, classification, timeframe
Get matching stories delivered automatically
Related Entities
Organizations
Sources
Related Stories
High-Severity Flaws Expose h3 to DoS and mcp-handler to Cross-Client Data Leaks
Two newly disclosed vulnerabilities affect widely used JavaScript server components, with one enabling **application-level denial of service** in `h3` and the other causing **cross-client data exposure** in `mcp-handler`. The `h3` flaw, tracked as `GHSA-Q5PR-72PQ-83V3`, is an algorithmic complexity issue in chunked cookie processing that lets an attacker send a very small HTTP request and force disproportionate CPU consumption. Rated **CVSS 7.5**, the bug can starve event loops and degrade availability without requiring privileges or user interaction. A separate issue in `mcp-handler`, tracked as `GHSA-W2FM-25VW-VH7F`, stems from a transport race condition that can leak sensitive MCP tool responses across client sessions. The vulnerability, rated **CVSS 7.1**, can expose database query results, local file contents, proprietary data, and raw large language model outputs, while also allowing limited attacker-controlled input injection when misrouted requests are processed in a victim session. The risk is highest in stateless serverless deployments such as **AWS Lambda** or edge runtimes where developers reuse global `McpServer` or `StreamableHTTPServerTransport` instances, while persistent Node.js deployments that create transport objects per connection are described as resistant to this specific flaw.
1 months ago
Microsoft Patches Remote Denial-of-Service Vulnerabilities in .NET and ASP.NET Core
Microsoft published security advisories for two **Important** remote **denial-of-service (DoS)** vulnerabilities affecting **.NET** and **ASP.NET Core**: **CVE-2026-26127** and **CVE-2026-26130**. Both issues are scored **CVSS 3.1 7.5** with `AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`, indicating network-reachable exploitation with low complexity, no privileges, and no user interaction, resulting in high availability impact. CVE-2026-26127 is described as a **.NET DoS** condition associated with **CWE-125 (Out-of-bounds Read)**, while CVE-2026-26130 is an **ASP.NET Core DoS** issue associated with **CWE-770 (Allocation of Resources Without Limits or Throttling)**. Organizations running internet-exposed or high-availability services on these frameworks should prioritize applying Microsoft’s updates and review service-level protections (e.g., request throttling and resource limits) where applicable to reduce DoS risk.
1 months ago
Multiple Recent Vulnerabilities in Apache Tomcat
Two significant vulnerabilities have been identified in Apache Tomcat, each with distinct attack vectors and impacts. CVE-2025-61795 is an improper resource shutdown or release vulnerability that can lead to a denial-of-service (DoS) condition if temporary files from multipart uploads are not cleaned up promptly, potentially exhausting disk space and exposing sensitive data. This issue affects Tomcat versions 11.0.0-M1 through 11.0.11, 10.1.0-M1 through 10.1.46, 9.0.0.M1 through 9.0.109, and several end-of-life versions, with patches available in 11.0.12, 10.1.47, and 9.0.110 and later. CVE-2025-55752 is a relative path traversal vulnerability introduced by a regression in the fix for a previous bug, allowing attackers to bypass security constraints and potentially upload malicious files if specific, non-default configurations are present. This vulnerability affects Tomcat versions 11.0.0-M1 through 11.0.10, 10.1.0-M1 through 10.1.44, 9.0.0.M11 through 9.0.108, and certain EOL versions, with fixes in 11.0.11, 10.1.45, and 9.0.109 and later. Both vulnerabilities require prompt attention from administrators, especially those running affected Tomcat versions. The DoS vulnerability (CVE-2025-61795) can be exploited by attackers to exhaust server resources, while the path traversal flaw (CVE-2025-55752) could lead to remote code execution under specific conditions. Organizations are advised to upgrade to the latest patched versions to mitigate these risks and review their Tomcat configurations to ensure that non-default features such as HTTP PUT requests and URL rewriting are not unnecessarily enabled.
1 months ago