Micronaut TimeConverterRegistrar Memory Exhaustion via Accept-Language Header

Micronaut’s TimeConverterRegistrar component contains a vulnerability that can lead to denial-of-service (DoS). The formattersCache within TimeConverterRegistrar is an unbounded ConcurrentHashMap that caches DateTimeFormatter instances. The cache key is derived from the @Format annotation pattern concatenated with the locale obtained from the HTTP Accept-Language header. By sending HTTP requests with arbitrary BCP 47 private-use extensions in the Accept-Language header (e.g., en-x-a001, en-x-a002), an unauthenticated attacker can generate a large number of unique cache keys. This leads to uncontrolled memory consumption, eventually exhausting the available heap memory and causing the JVM to crash with an OutOfMemoryError. The vulnerability affects Micronaut applications that expose endpoints with @Format-annotated temporal parameters and exists in micronaut-context versions 4.3.0 and above, up to but not including 4.10.22. This is similar to GHSA-2hcp-gjrf-7fhc but affects a different cache.

Attack Chain

1. An attacker sends an HTTP request to a Micronaut server.
2. The request includes a crafted Accept-Language header with a novel BCP 47 private-use extension (e.g., en-x-attacker).
3. Micronaut’s HttpHeaders.findAcceptLanguage() parses the Accept-Language header and extracts the locale using Locale.forLanguageTag().
4. The extracted locale is passed to AbstractRouteMatch.newContext() and stored in the ConversionContext.
5. The request is routed to an endpoint with a @Format-annotated temporal parameter.
6. TimeConverterRegistrar.getFormatter(pattern, context) is called to retrieve a DateTimeFormatter for the given pattern and locale.
7. Since the locale is novel, a new DateTimeFormatter is created and added to the unbounded formattersCache with the concatenated pattern + locale as the key.
8. The attacker repeats this process with many unique Accept-Language values, causing the formattersCache to grow without bounds, leading to an OutOfMemoryError and crashing the JVM, resulting in denial of service.

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to crash any Micronaut server that exposes an endpoint with a @Format-annotated temporal type parameter. The memory consumption grows linearly with the number of unique Accept-Language values sent by the attacker. Due to the large number of possible BCP 47 private-use extensions, attackers can easily exhaust server memory. This can lead to denial of service, disrupting legitimate users. The TimeConverterRegistrar is active in all Micronaut HTTP server applications by default.

Recommendation

• Apply the fix pattern used for GHSA-2hcp-gjrf-7fhc by replacing the unbounded ConcurrentHashMap with a bounded ConcurrentLinkedHashMap.
• Upgrade to micronaut-context version 4.10.22 or later to receive the patched version.
• Monitor web server logs for a high volume of requests with unique Accept-Language headers using the provided Sigma rule.
• Consider implementing rate limiting on requests with unique Accept-Language headers to mitigate the risk of exploitation.