VDB
KO
HIGH 7.5

GHSA-387m-935m-c4vw

Micronaut doesn't set a maximum redirect count for its HTTP Client, enabling infinite loop DoS

Details

The Netty-based Micronaut HTTP Client does not impose a limit on HTTP redirections, potentially allowing an infinite redirect loop that could lead to a denial-of-service attack.

### Patches

The following versions are patched:

- For Micronaut 5, versions equal or greater than [5.0.1](https://github.com/micronaut-projects/micronaut-core/releases/v5.0.1) >= - For Micronaut 4, versions equal or greater than [4.10.24](https://github.com/micronaut-projects/micronaut-core/releases/v4.10.24) >= - For Micronaut 3, versions equal or greater than [3.10.7](https://github.com/micronaut-projects/micronaut-core/releases/v3.10.7) >=

### Workarounds No

### Resources Micronaut 5 Patch: https://github.com/micronaut-projects/micronaut-core/commit/6e88a972718d6e1521c5b3bb7766451798dba4e3 Micronaut 4 Patch: https://github.com/micronaut-projects/micronaut-core/commit/f1dffffec8fb5e3b7e94ae907ce0be3831e499d4 Micronaut 3 Patch: https://github.com/micronaut-projects/micronaut-core/commit/c06a2715ca7f78321bc3ca05f41cca78cd351320

Are you affected?

Enter the version of the package you're using.

Affected packages

Maven / io.micronaut:micronaut-http-client
Introduced in: 0 Fixed in: 3.10.7
Fix # pom.xml: bump <version>3.10.7</version> for io.micronaut:micronaut-http-client
Maven / io.micronaut:micronaut-http-client
Introduced in: 4.0.0-M1 Fixed in: 4.10.24
Fix # pom.xml: bump <version>4.10.24</version> for io.micronaut:micronaut-http-client
Maven / io.micronaut:micronaut-http-client
Introduced in: 5.0.0-M1 Fixed in: 5.0.1
Fix # pom.xml: bump <version>5.0.1</version> for io.micronaut:micronaut-http-client

References