GHSA-387m-935m-c4vw
Micronaut doesn't set a maximum redirect count for its HTTP Client, enabling infinite loop DoS
Details
The Netty-based Micronaut HTTP Client does not impose a limit on HTTP redirections, potentially allowing an infinite redirect loop that could lead to a denial-of-service attack.
### Patches
The following versions are patched:
- For Micronaut 5, versions equal or greater than [5.0.1](https://github.com/micronaut-projects/micronaut-core/releases/v5.0.1) >= - For Micronaut 4, versions equal or greater than [4.10.24](https://github.com/micronaut-projects/micronaut-core/releases/v4.10.24) >= - For Micronaut 3, versions equal or greater than [3.10.7](https://github.com/micronaut-projects/micronaut-core/releases/v3.10.7) >=
### Workarounds No
### Resources Micronaut 5 Patch: https://github.com/micronaut-projects/micronaut-core/commit/6e88a972718d6e1521c5b3bb7766451798dba4e3 Micronaut 4 Patch: https://github.com/micronaut-projects/micronaut-core/commit/f1dffffec8fb5e3b7e94ae907ce0be3831e499d4 Micronaut 3 Patch: https://github.com/micronaut-projects/micronaut-core/commit/c06a2715ca7f78321bc3ca05f41cca78cd351320
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 3.10.7 # pom.xml: bump <version>3.10.7</version> for io.micronaut:micronaut-http-client 4.0.0-M1 Fixed in: 4.10.24 # pom.xml: bump <version>4.10.24</version> for io.micronaut:micronaut-http-client 5.0.0-M1 Fixed in: 5.0.1 # pom.xml: bump <version>5.0.1</version> for io.micronaut:micronaut-http-client References
- https://github.com/micronaut-projects/micronaut-core/security/advisories/GHSA-387m-935m-c4vw [WEB]
- https://github.com/micronaut-projects/micronaut-core/commit/6e88a972718d6e1521c5b3bb7766451798dba4e3 [WEB]
- https://github.com/micronaut-projects/micronaut-core/commit/c06a2715ca7f78321bc3ca05f41cca78cd351320 [WEB]
- https://github.com/micronaut-projects/micronaut-core/commit/f1dffffec8fb5e3b7e94ae907ce0be3831e499d4 [WEB]
- https://github.com/micronaut-projects/micronaut-core [PACKAGE]