Memory leak in micronaut-core

Impact

Sending an invalid Content Type header leads to memory leak in DefaultArgumentConversionContext as this type is erroneously used in static state.

Patches

The problem is patched in Micronaut 3.2.7 and above.

Workarounds

The default content type binder can be replaced in an existing Micronaut application to mitigate the issue:

package example;

import java.util.List;
import io.micronaut.context.annotation.Replaces;
import io.micronaut.core.convert.ConversionService;
import io.micronaut.http.MediaType;
import io.micronaut.http.bind.DefaultRequestBinderRegistry;
import io.micronaut.http.bind.binders.RequestArgumentBinder;
import jakarta.inject.Singleton;

@Singleton
@Replaces(DefaultRequestBinderRegistry.class)
class FixedRequestBinderRegistry extends DefaultRequestBinderRegistry {

    public FixedRequestBinderRegistry(ConversionService conversionService,
                                      List<RequestArgumentBinder> binders) {
        super(conversionService, binders);
    }

    @Override
    protected void registerDefaultConverters(ConversionService<?> conversionService) {
        super.registerDefaultConverters(conversionService);
        conversionService.addConverter(CharSequence.class, MediaType.class, charSequence -> {
            try {
                return MediaType.of(charSequence);
            } catch (IllegalArgumentException e) {
                return null;
            }
        });
    }
}

References

Commit that introduced the vulnerability micronaut-projects/micronaut-core@b8ec32c

For more information

If you have any questions or comments about this advisory:

Open an issue in Micronaut Core
Email us at info@micronaut.io

References

jameskleeh published to micronaut-projects/micronaut-core Jan 18, 2022

Published by the National Vulnerability Database Jan 18, 2022

Reviewed Jan 19, 2022

Published to the GitHub Advisory Database Jan 21, 2022

Last updated Feb 3, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

Impact

Patches

Workarounds

References

For more information

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

CVE ID

GHSA ID

Source code

Credits